-
How to Setup Google Workload Identity Federation for Github Actions Runners
When using GHA(Github Actions) for CI/CD purposes, the Github-hosted runners are free unless you use it quite a lot. But if I want to use GHA to build a docker container image and save it to my private repository in Google Artifact Registry, I have to grant the permission to some VMs I don’t even…
-
Solved: Atlantis Couldn’t Track Google Service Account Keys in State File
Atlantis is a great tool to do Terraform infrastructure-as-code and gitops together. I got it setup and running alright but when I let it to manage some service account keys(I know, not the best option, but in my situation I had to use it), it kept trying to re-create even if the key exists. Turns…
-
Solved: Error 403: The caller does not have permission
Recently I got a very confusing error when setting up a PubSub subscription to write to a Big Query table via terraform. Here’s the partial terraform code snippet: And the input variable subscriptions looks like: It doesn’t show any error when doing terraform plan however it gives 403 error when applying. After some googling I…
-
How to Avoid Rebuild Resources with Terraform/Terragrunt
I use Terraform and Terragrunt a lot at work to keep track of infrastructure changes. Sometimes I refactored code in modules so there’s no change to infrastructure but since the module changed terraform will insist to rebuild affected resources. It’s not quite comfortable to destroy some resources and then just create exactly the same ones.…
-
How to Use the Sidecar Resource to Optimise Memory Footprint of Istio Sidecar
In a populous GKE cluster, I saw the memory utilisation getting very high. After some investigation, to my surprise, a great deal of memory was consumed by tiny Istio sidecars. And they are getting bloated round the clock. The Istio sidecar essentially is an envoy proxy configured by Istio controller – istiod. It’s usually light-weight,…
-
Terraform: String Manipulation for Default Domains
Imaging when I needed to grant access to a Google storage bucket for a list of Google service accounts, I put the list in YAML like this: Assuming horizon is the default GCP project and mass-effect is a partner project and most GSAs are of course from the default project. So can this list be…
-
How to Replace Characters in MongoDB
TL; DR: As of MongoDB 6.0, this is how I learned to replace some characters in a field in all documents. In the example below all “.” characters in field_name will be replaced by “_” character: The backstory is when using MongoDB with MongoEngine, there’s an issue when a key in a dictionary field contains…
-
Sample Terraform Code to Manage Temporary Access to GCP
TL; DR: This is a way to grant a temporary access to some GCP resources using Terraform’s time_static and google_project_iam_member resources. 🙂