| 25 Oct 2021 |
 genadij.udarov | In reply to @blaggacao:matrix.org
- most providers do only keep state for speed and can fully recover from a lost state through the remote APIs.
Interesting. Didn't know about that. | 17:31:39 |
 David Arnold (blaggacao) | You can use terranix, but I'd recommend doing copy-hcl / pasta-json-nix directly from the upstream docs. | 17:31:59 |
| David Arnold (blaggacao) | This gives you a significantly increased body of documentation. | 17:32:20 |
| genadij.udarov | upstream docs being tf docs, right? | 17:32:39 |
| David Arnold (blaggacao) | The obly trick is: "copy-hcl / pasta-nix-json` | 17:32:43 |
| David Arnold (blaggacao) | * The only trick is: "copy-hcl / pasta-nix-json` | 17:32:50 |
| David Arnold (blaggacao) | That transformation is really obvious after ~1/2 hour of playing. | 17:33:22 |
| David Arnold (blaggacao) | * That transformation is really _obvious_ after ~1/2 hour of playing. | 17:33:37 |
| genadij.udarov | Thanks! | 17:37:21 |
| David Arnold (blaggacao) | You should be able to use cloud providers as a source of truth with terraform data resources. | 17:38:33 |
| David Arnold (blaggacao) | You need to make a trade-off decision, though how much exogenous information you want to accept / can't avoid in your gitops workflow. | 17:39:18 |
| David Arnold (blaggacao) | I'd say: exoginous is ok if you can't avoid it.
Exogenous is ok for those "efimeral" envs that you spoke of. | 17:40:09 |
| David Arnold (blaggacao) | * I'd say: exogenous is ok if you can't avoid it.
Exogenous is ok for those "efimeral" envs that you spoke of. | 17:40:17 |
| genadij.udarov | In reply to @blaggacao:matrix.org
You should be able to use cloud providers as a source of truth with terraform data resources. So the tf contents would be like data ... resource { if data is null }? I've got some tf experience, but have never thought of / encountered such pattern. | 17:41:14 |
| David Arnold (blaggacao) | I can't really tell, but I can add this: TF, as well as nomia, provide CRUD-luke semantics on remote resources. | 17:42:19 |
| David Arnold (blaggacao) | * I can't really tell, but I can add this: TF, as well as `nomia`, provide CRUD-like semantics on remote resources. | 17:42:28 |
| David Arnold (blaggacao) | There are limitations to the stack-depths, though. | 17:42:54 |
| David Arnold (blaggacao) | As in nix (without IFD), you only have two stages: eval / build. I think TF also has a similar limitation and there is no recursive TF or such thing. | 17:43:42 |
| David Arnold (blaggacao) | A similarity, which is not a coincidence on a very fundamental level. | 17:44:24 |
| genadij.udarov | True. Back in the day, tf used to rely solely on tfstate to decide what API calls to do. I guess I could hack something that would generate tfstate from nix, if I'd need to. :-D
Thanks for the input, I think I'll be able to start hacking a PoC now. | 17:46:22 |
| David Arnold (blaggacao) | Cool! Just make sure you don't needlessly allow exogenous data to be input intor your gitops capsule. | 17:47:08 |
 @timdeh:matrix.org | I wonder if committing the tfstate file would be a possible solution 🤔 | 17:47:26 |
| David Arnold (blaggacao) | * Cool! Just make sure you don't _needlessly_ allow exogenous data to be input into your gitops capsule. | 17:47:26 |
| David Arnold (blaggacao) | If it doesn't hold secrets, yes. | 17:47:44 |
| @timdeh:matrix.org | speaking of which, I found yet another pass like yesterday 😅
https://share-secrets-safely.github.io/cli/compare.html | 17:48:20 |
| David Arnold (blaggacao) | If we plug an encryption workflow in front of it, then we need things like git smudge/clean or direct tf support for encrypted state fules. | 17:48:38 |
| David Arnold (blaggacao) | * If we plug an encryption workflow in front of it, then we need things like git smudge/clean or direct tf support for encrypted state files. | 17:48:52 |
| @timdeh:matrix.org | I was just considering if it would be possible to do some weaker form of forward secrecy with git and gpg by simply having a tool generate a new subkey on each commit, and burning it after each subsequent change to secrets 🤔 | 17:51:48 |
| @timdeh:matrix.org | usually with perfect forward secrecy that temporary session key would live only in memory, so it's not quite "perfect" forward secrecy, but it would be an improvement over having the entire agenix and/or git-crypt history accessible from the same key | 17:52:26 |
| David Arnold (blaggacao) | In reply to @timdeh:matrix.org
speaking of which, I found yet another pass like yesterday 😅
https://share-secrets-safely.github.io/cli/compare.html I have the impression that somebody needes a divnix/data-merge but for injecting secrets. This is interesting since pure nix does not allow to inject attributes. | 18:02:44 |
