DevSecFailureOps

Spicy Peppers Rating System | 🌶 - One Pepper | Bold and Zesty; Potentially Misinformation

Summary

Data blocks (Terraform Data sources) appear harmless, but aren’t. This is because every resource that relies on a data block is in danger of being replaced, because in some circumstances, data blocks are evaluated after apply. It’s just a matter of time.

I know the summary above didn’t make sense, so read on.

Data blocks explained

Data blocks, or data sources in Hashicorp’s parlance, are a convenient way to get at information. As a wise man once told me, data blocks are basically API calls (that retrieve data). I’ll refer to data sources as data blocks because in the code they are a data {} block.

If you’re entirely unfamiliar with them, Hashicorp docs provide a a good overview.

As I’ve discovered, data blocks are convenient right up until Terraform wants to replace the entire Kubernetes cluster. Did I mention it was the entire Kubernetes cluster? Not just a node pool, no, the entire Kubernetes cluster. And as bad as that sounds, it was worse, actually–yes, it was the entire Kubernetes cluster, but it was most everything else, too.

The danger, by example

This remarkably friendly GitHub issue details the danger better than I can, but I’ll try anyway, with the minimum possible example. An MVP of failure, if you will.

In this example, we have two things:

• not managed by terraform: a subnet subnet1
• managed by terraform: a network interface (think NIC, but in the cloud) which lives on the subnet

The Beginning: No Data Blocks, No Problems

In the beginning, we’ll start with no frills and no data blocks.

######################################
## The Beginning: No Data Blocks
######################################

# subnet already exists, not managed by terraform

resource "azurerm_network_interface" "example" {
  # note it's a hardcoded string - a potential DRY violation! Call the cops
  subnet_id      = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/examplerg/providers/Microsoft.Network/virtualNetworks/examplevnet/subnets/subnet1"

  # ... (details omitted)
}

This creates a network interface that is placed on subnet1.

And it works great! To specify which subnet to place the azurerm_network_interface in, we’ve hardcoded the subnet_id. This works, it’s safe, and any potential mistakes can be discovered during a terraform plan. As for downsides: this giant ugly ID is ugly? And hard to read?

So here’s what we did next, for a little bit of convenience. Let’s call this scenario Trouble Ahead: Storm’s A-brewin'.

Trouble Ahead: Data Block Introduced

######################################
## Trouble Ahead: Data Block Introduced For Convenience
######################################

# subnet already exists - thus we reference it as a 'data' block
data "azurerm_subnet" "example" {
  name                 = var.subnet_name
  resource_group_name  = var.resource_group_name
  virtual_network_name = var.virtual_network_name
}

resource "azurerm_network_interface" "example" {
  # note subnet_id is bound to a data block
  subnet_id      = data.azurerm_subnet.example.id

  # ... (details omitted)
}

The network interface is still placed on subnet1, but we’ve avoided using the full, ugly ID for subnet1, and instead use variables (which we presumably use elsewhere anyways).

While this works perfectly on the initial terraform apply, we are now in potential future danger of replacing our azurerm_network_interface resource.

The danger is not immediate–so far, we’re still safe. To fall fully into the trap, we need to do a few specific things:

• Use a data block in a module
• Use outputs from that module
• Explicitly depends_on that module

And let me be clear that because no one on my team knew to avoid this, we built the terraform in such a way that the majority of our infrastructure was affected by such an issue. It’s not that difficult to do. Use data blocks freely and introduce modules as your terraform grows. In just a short time, you’ll be in trouble, just like me!

Let’s see what such a disaster looks like:

Imminent Doom: Don’t Hit That Apply Button

######################################
## Imminent Doom: Data Block + Module + depends_on
######################################

# ~~~~~~ vnet module.tf ~~~~~~
data "azurerm_subnet" "example" {
  name                 = var.subnet_name
  resource_group_name  = var.resource_group_name
  virtual_network_name = var.virtual_network_name
}


# ~~~~~~    main.tf     ~~~~~~
module "vnet" {
  # ... (details omitted)
}

resource "azurerm_network_interface" "example" {
  # note subnet_id is bound to a data block, by way of the vnet module
  subnet_id      = module.vnet.subnet1.id

  depends_on = [module.vnet]
}

We have introduced a vnet module, which outputs the long, ugly subnet ID into a convenient variable. And use it, of course. Harmless, right? Let’s look at what terraform plan tells us now:

# (the following is a partial `terraform plan` output)

# resource.azurerm_network_interface.example must be replaced
-/+ resource "azurerm_network_interface" "example" {
  subnet_id           = "...(omitted for space)..." -> (known after apply) # forces replacement

  # ... (omitted)
}

The key phrase here that has burned itself into my retinas and haunts me at night is -> (known after apply) # forces replacement. And congratulations, we’re about to replace all our infrastructure!

That’s a bad thing.

Explanation

So let’s walk through what happened, to the best of my understanding.

1. We have resources in terraform.
2. Those resources rely directly or indirectly on data blocks.
3. The data blocks are in a module, and we explicitly depends_on that module.
4. Presumably (speculating), terraform can’t know the value of the output of the module until later than usual–during apply of the module–and because of this, it doesn’t know if values will change.
5. Therefore, it chooses the only predictable choice, and assumes that yes, the value will change.
6. And if this forces replacement of an entire resource, well, so be it.
7. Anyway a big chunk of our infrastructure is now cursed by the dreaded -> (known after apply) # forces replacement message.
8. And though I haven’t tested it, according to the GitHub Issue at https://github.com/hashicorp/terraform/issues/28377 - terraform is not bluffing and will indeed destroy and replace our resources.

Alternate Explanations

There are two succinct, authoritative answers on the GitHub Issue thread explaining what’s happening:

• First explanation
• Second explanation

Solution: Stop Using Data Blocks

One solution is to stop using data blocks. Here’s the example, ‘fixed’:

######################################
## The Path of Enlightenment: Not Relying On Data Blocks
######################################

# subnet already exists, not managed by terraform

resource "azurerm_network_interface" "example" {
  # note it's a hardcoded string - what beautiful simplicity!
  subnet_id      = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/examplerg/providers/Microsoft.Network/virtualNetworks/examplevnet/subnets/subnet1"

  # ... (details omitted)
}

Before enlightenment: chop wood, carry water. After enlightenment: chop wood, carry water.

And while I’ve hardcoded the subnet_id in the enlightened example above, I would (and certainly have) extracted out either a local variable or a module-level var. And there’s certainly a guiding principle as to when to extract variables, but … (handwaving) go read a book.

Alternate Solutions: Import Everything, Stop Using depends_on

There are several real, alternate solutions to consider when dealing with data blocks.

• Import the resource into terraform, so you can replace the data block with a resource. Pinocchio is a real boy now! A real boy who is managed by Terraform, with all that entails. This is probably the best solution, so long as you’re able to make it happen.
• As the GitHub Issue mentions, avoid depends_on, especially if you don’t need it.

More “Solutions”

Here are some other things to consider.

• “Hello, Pulumi Incorporated? Yes? I hear you like both customers and money? Yes? That’s great! I’ll be right over!”
• Move into the mountains, live off of the land, make your own clothes. Don’t worry about medical care, just crush up leaves and rub them on whatever’s ailing you, and breathe in that fresh mountain air. Invigorating! Use your old work laptop as part of the shelter–a constant reminder of the old world and why you left it behind. If you’re honest, it’s miserable in the wild, but at least you don’t have to deal with Terraform. That’s what you tell yourself as you rub more crushed leaves on the rash. The rash is still growing, and it’s starting to burn now more than itch. It’s cold. Cold in the mountains.

Political Advocacy and a cry for help

I have several things to say:

1. Political advocacy: I blame HashiCorp for casually tossing data blocks around in the documentation. Put a stern warning in there, Hashicorp. These things are productivity landmines.
2. Hashicorp: seriously, these things are dangerous. terraform validate should warn me for every single data block I use. Sure, some data blocks can be used safely, as can sticks of dynamite. But let’s put some guardrails on these things, okay?
3. Am I missing something? I feel like I’m missing something obvious, and I wasted all this time writing up the issue, when (insert your simple explanation). Seriously, let me know if I’m doing something wrong. @pseale on twitter or peter @ pseale.com.

tl;dr with bullet points and few words

• Terraform data sources scary, sometimes make big boom
• Thus, avoid
• Import as resource instead
• Or, hardcode instead
• Am I crazy?

Spicy Peppers Rating System | 🚫 - Zero Peppers | Mild and Nutritious; Blandly Educational

Covered here:

• what WSL is, and how to install it
• astonishingly useful WSL tips!
• ugly network troubleshooting
• boring, specialized topics that target 1% of you. 99% of you will be totally bored, but the remaining 1% will weep for joy

Introduction: What is WSL, and how is it useful?

WSL, the Windows Subsystem for Linux, is a surprisingly easy-to-install, convenient way to run Linux on Windows.

I use WSL to:

• ssh
• test and develop shell scripts
• run curl, base64, openssl, and whatnot
• run seedy bash one-liners I found on the internet
• run Windows-incompatible tools - most notably, TUIs like tig don’t run in Windows
• configure neovim plugins for 7-20 hours every week (this is a joke, don’t hurt me)

All of these things can be done without WSL, but it’s less effort to go with the flow and say, run ssh as nature intended. As a real example, every complex kubectl script I’ve seen was written in bash. And sure, you can convert those scripts to PowerShell, or you can somehow run bash directly on Windows…but why? It’s easier in WSL.

WSL is also well-isolated, such that I have already installed, deleted, migrated, reinstalled, and re-reinstalled distros without issue. In other words, WSL doesn’t do spooky things to your host like 👻👻👻cygwin👻👻👻 does. Spoken in love, cygwin.

Installing: WSL itself

As of 2022, installing WSL2 is as simple as running (as Administrator) wsl --install if you’re lucky. Read this if you’re not lucky: https://docs.microsoft.com/en-us/windows/wsl/install#install

You will need to Enable Virtualization in your BIOS if it isn’t already enabled. Good luck. Everyone’s BIOS is different. These instructions are good: https://bce.berkeley.edu/enabling-virtualization-in-your-pc-bios.html. Personally, my expert technique to access the BIOS menu is to reboot and use both hands to repeatedly tap Del, F1, F2, F8, F9, F12 all together like a complex piano chord, as quickly as possible, while thinking happy thoughts.

Beware of older, outdated instructions for installing WSL1 and even WSL2. And in full disclosure, I’m writing this sentence in April 2022, and I’m sure my instructions will similarly fall out of date. In the future you’ll spend 45 minutes begging your Windows Store Personal GAN Shopping Assistant to install WSL, and it won’t, of course. Anyway good luck in the future.

Installing: a linux distro

Installing a specific distro happens through the Windows Store. I don’t know why, either. Maybe forcing die-hard CLI advocates to install their favorite GPL-licensed distro through the comically commercialized Windows Store is a kind of joke? Well, intentional or no, it’s hilarious.

If you don’t know which distro to install, pick the most recent version of Ubuntu. And if you think you want to argue with this deliberately simplistic advice, then you are definitely not the target audience for it. Go in peace.

I should also point out that you can use the CLI to install a limited selection of distros:

# list available distros - more are available through the Windows Store than here
wsl --list --online

# install kali-linux
wsl --install -d kali-linux

Surprisingly useful things

WSL can launch Windows programs and use them in pipelines. There are some great things you can do with this synergy:

# launch Windows Explorer here - three ways
cmd.exe /c start .
explorer.exe
powershell.exe -Command ii .

# works on links too
cmd.exe /c start https://google.com/search?q=expert+wsl+devsecfailureops

# pipe directly to the Windows clipboard
echo "hunter2" | base64 | clip.exe

You can also run WSL processes in your PowerShell pipeline, but I haven’t found many good uses for it. I guess I could do something like the following? Anyway, it’s possible.

# base64-encode whatever's on the clipboard, and put that back on the clipboard
Get-Clipboard | wsl base64 | Set-Clipboard

Accessing files

Windows can access the WSL distro’s filesystem, and the WSL distro can access Windows' filesystem.

From Windows:

• Files in WSL are accessible. By example, the full path for \\wsl$\Ubuntu-20.04\home\p\.bashrc is formed as such:
  • \\wsl$\Ubuntu-20.04 accesses the root of the Ubuntu 20.04 filesystem
  • /home/p/.bashrc is the path within that filesystem
  • thus \\wsl$\Ubuntu-20.04 + /home/p/.bashrc -> \\wsl$\Ubuntu-20.04\home\p\.bashrc
• cd \\wsl$\Ubuntu-20.04 works in PowerShell, and even cmd.exe has limited support for UNC-style paths
• Accessing \\wsl$ from the Explorer address bar lets you lazily navigate around WSL with the mouse and other GUI affordances–*audible gasp* BUT I WOULD NEVER! I haven’t touched my mouse since 2018, I swear! And that was an accident!

From WSL:

• Files in Windows are accessible. By example, the full path for /mnt/c/Users/p/Desktop/passwords.txt is formed as such:
  • /mnt/c accesses the root of the C: (all Windows drives are mounted to /mnt/<driveletter>)
  • \Users\p\Desktop\passwords.txt is the path from within C:
  • thus /mnt/c + \Users\p\Desktop\passwords.txt -> /mnt/c/Users/p/Desktop/passwords.txt
• Windows paths referenced from WSL are case-sensitive. This is easier to remember once you’ve been burned by it 3-4 times (or 300-400 maybe).

wsl.exe usage

Here are the specific things I’ve done with wsl.exe:

# start default distro and launch shell
# also kicks the WSL subsystem into gear if WSL's not running, for whatever reason
wsl

# list - useful if you're playing around with multiple distros, or don't know what you're doing
# I should point out that you can simultaneously install multiple distros
wsl --list

# shutdown
wsl --shutdown

You can quickly invoke the WSL shell via wsl.exe. The details are explained by example below:

# both   --exec   and   (any unrecognized parameter)   run a command in the WSL distro
# everything after   --   is delegated to the WSL distro
wsl --exec echo "I'm in unix! PowerShell version: $($PSVersionTable.PSVersion) <--evaluated in PowerShell in Windows"
wsl ls -al
wsl -- ls -al


# SUBTLE DIFFERENCE BELOW - PAY ATTENTION:

# these echo back       WSL distro: Ubuntu-20.04
wsl echo "WSL distro: `${WSL_DISTRO_NAME}"
wsl -- echo "WSL distro: `${WSL_DISTRO_NAME}"

# this echoes back      WSL Distro: ${WSL_DISTRO_NAME}
wsl --exec echo "WSL Distro: `${WSL_DISTRO_NAME}"

Seamless Text Editing: VS Code

VS Code (running in Windows) seamlessly edits files in WSL2, so long as you’ve installed either the Remote - WSL extension, or the Remote Development extension.

To painlessly launch VS Code from within the WSL filesystem, do the same as anywhere else:

# In WSL, this works the same for the end-user (you), but does very different things under the hood
code .

Seamless Terminal Experience: Windows Terminal

I launch the Ubuntu 20.04 shell in a new tab in Windows Terminal with CTRL + SHIFT + 2. Windows Terminal is highly configurable, so your hotkeys may vary.

Small nitpick: there are occasional display bugs in Windows Terminal. I’ve noticed too–it’s not just you.

WSL: Turning it off and on again

There are two options here: the one you hope works, and the one you know works. WSL’s --shutdown command is usually effective.

• The option you hope works: wsl --shutdown followed by wsl
• The option you know works, for certain: reboot Windows (sorry)

WSL uses RAM

• If you’re running WSL on a Windows OS with only 16GB of RAM, consider upgrading to 32GB. With 16GB, you’re likely using all your RAM and relying on swap. This will slow you down noticeably. I mean, yes, we mostly blame Chrome and curse the day Electron was invented, and they’re the worst offenders. I’m just saying that once you start running containers or VMs on 16GB of RAM, you’re done. You’re done.
• WSL2 appears as Vmmem in Task Manager. Ubuntu 20.04 on my machine is currently using just under 2GB of RAM.
• To check available RAM, look at Performance->Memory in Task Manager.

Boring and Necessary: Networking issues

Listen up! Networking in WSL is magic. And by magic I mean opaque, mysterious, fickle, and moody. I’ve done several things to fix networking issues:

• If DNS dies regularly in WSL, fix it permanently with this WSL-specific change: https://superuser.com/a/1533768
• Set MTU to 1400 - I would love to explain this further, but in short, I can’t. Good luck, and if you google your mysterious networking-related error message and some of the first results are for setting the ‘MTU’, then try it, certainly. The last time I saw this error, someone was trying to clone a git repo.

Boring and Necessary: Line endings

This is a really boring topic, but if you need it, you need it.

Git for Windows is probably checking out files with CRLF line endings (the specifics are here: https://docs.github.com/en/get-started/getting-started-with-git/configuring-git-to-handle-line-endings). For most of us, if you commit files in Windows, push to GitHub, and pull them down in WSL, the line endings are LF in WSL and CRLF in Windows, which is probably what you want. However, if you’re manipulating/accessing files across Linux and Windows boundaries, consider several solutions to tackling the line ending problem:

• dos2unix to manually convert a file from LF to CRLF, or CRLF to LF, from inside WSL
• Manually load and change line endings in your text editor. E.g. in VS Code in the status bar, it will indicate either LF or CRLF. You can change this by clicking on the LF (or CRLF) indicator in the status bar, or from the Command Palette: >Change End of Line Sequence.

More permanent, team-friendly defaults:

• set .gitattributes in individual repos to always checkout some file types (e.g. shell scripts) as LF
• set .gitattributes in specific repos to always checkout all files as LF

More permanent defaults for your git install (only affects you, not the team):

• via git config --global core.autocrlf
• via git config --global core.eol

Spicy Peppers Rating System | 🚫 - Zero Peppers | Inoffensive and Sincere

Summary

1. Command Palettes let you search for and run commands by descriptive name.
2. Thus for rare or obscure tasks, using the Command Palette is much easier than hunting down commands in Nested->Edit->Menus or memorizing arcane key chords. This is a big productivity boost, and I’m the only person I know who does this. You people are doing it all wrong! “You people are doing it all wrong” is generally true, but I digress.
3. Command Palettes are in every major text editor and IDE.
4. They’re also in weird places like Windows Terminal and Chrome Developer Tools.

By example

In VS Code, I sometimes run >Format Document. I know this is available through either a deeply nested File->Etc menu or a hotkey.

In the case of Format Document, it is apparently bound by default to ALT+SHIFT+F. Reasonable, but unmemorable for something I do rarely in my part-time text editor. In days of yore, I might have tried to memorize this keybind! Or worse, ｃｕｓｔｏｍｉｚｅ ｍｙ ｋｅｙｂｉｎｄｓ!

But now that I’ve acclimated to relying on Command Palettes, I’ll open the Command Palette, lazily type a few letters of format, lazily arrow up and down, lazily press ENTER, lazily be done with it. And all effortlessly, without expending my precious brain energy!

Command Palettes: Give your brain a break

Format Document is just one example of something I do once a month or so. I’ve also messed with BOM encodings via Change File Encoding, fiddled with with line endings via Change End of Line Sequence, and even used the Fold command to collapse some XML that one time!

In Windows Terminal, I’ve split the terminal pane so I could watch several things at once. Thanks to the Command Palette, I didn’t have to hunt down the settings and memorize ALT+SHIFT++. Instead, I put my brain on vacation, opened the Command Palette, searched for split, ran it, and moved on with my life.

Your IDE and You

Command Palettes are available in:

1. Sublime Text - the original!
2. VS Code - VS Code did a great job harvesting Sublime Text’s best features, and the Command Palette is one such feature. Well done, thieves!
3. Visual Studio - here it is called Search
4. JetBrains Products - here it is available through either Find Action, or Search Everywhere–either will do the trick
5. Google Chrome Dev Tools - here it is called Command Menu
6. Windows Terminal - as weird as it sounds, the Command Palette exists here!
7. Vim - as with all things Vim, there are many paths up the mountain, none of which is the ‘true’ one. Vim plugin universalism: you heard it here first.

Command Palette Conventions

1. I have the Command Palette bound to CTRL+SHIFT+P everywhere. This is already the default keybind in many places. MacOS users: as with all things, mentally replace CTRL with CMD.
2. Similarly, CTRL+P should navigate to files. MacOS: CMD+P.
3. Command Palettes support a kind of forgiving fuzzy search[1] syntax and a convenient dropdown list of commands. If you’ve never seen this before, the key word here is fuzzy. It’s fuzzy search. It’s not strict.
4. The Command Palette shows keybinds (if any exist) for the command. Use the Command Palette like a cheatsheet.
5. VS Code, JetBrains, and Google Chrome support mode swapping through the addition or removal of the > prefix. So, by example:
   • Searching for >format gives the Format Document command
   • Searching for format without the > prefix gives formatter.js.

Footnotes:

[1] Is Command Palette fuzzy search fuzzy like fzf? Who can say? Not I! Not I.

Welcome! I’m Peter, and I’m here to:

• get a load off my chest
• write some spicy 🌶🌶🌶 hot takes
• have some fun
• make some jokes
• sometimes make a serious point
• but also bury that serious point in a nuclear-grade take 💣

You’re here to:

• learn something
• be entertained
• be enraged
• sample a Neopolitan-esque combination of all three flavors. Let’s call this edu-tain-ragement. Edutainragement. Flows off the tongue.

I don’t take myself, these hot takes, or this blog too seriously. Enjoy!

Spicy Peppers Rating System