Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DCA - Allow the demo to apply effortless-config seperate #35

Open
anthonygrees opened this issue Jul 1, 2019 · 8 comments
Open

DCA - Allow the demo to apply effortless-config seperate #35

anthonygrees opened this issue Jul 1, 2019 · 8 comments
Labels
enhancement New feature or request

Comments

@anthonygrees
Copy link

@ChefRycar
The demo is great but it scans using effortless-audit and then automatically applies the effortless-config habitat service, remediating the CentOS nodes very quickly.

This does not allow time for an Architect to talk through the DCA concept with the customer and then show the remediation being applied (effortless-config).

It would be great if we could apply the remediation via a flag in Terraform or simply 'hab svc load effortless-config' on the node command line and then show the Centos nodes being updated.

@anthonygrees anthonygrees added the enhancement New feature or request label Jul 1, 2019
@NickRycar
Copy link

Talked a bit about this on slack, but throwing it in here so I'll remember.

So, because things aren't bootstrapped by traditional means, we'll need an alternative to the old-style run-list editing. Since everything's in hab, the path of least resistance seems to be to update effortless config to leave things unfixed or partially fixed initially, so a demoer can then promote the fix through bldr to demonstrate DCA.

Thought is that MVP would be instructions for how to do so on a demoer's personal origin, and that can be seeded in via variables instead of using the stock effortless origin.

Longer term, it probably makes sense to try deploying a private repo with the environment to better formalize the process.

@jmery
Copy link
Contributor

jmery commented Jul 2, 2019

@anthonygrees in the interim, would it be okay to show the scan history in A2 or is it fixing things too fast for them to ever show up as failed?

@NickRycar
Copy link

IIRC the first run shows up as failed, but the interval is such that the page quickly fills up with passing audits, and you can have to dig to get to the failure.

@smford22
Copy link
Contributor

@anthonygrees @ChefRycar @jmery I am not sure that this is the best repo to tell DCA. It tells the story of EAS in which each layer of the stack is managed in the same 'one way to prod...' If we actually want to do a DCA or 'Zero Day Vulnerability' demo...I have improvised those very easily using existing repos. I think we could easily create one that is designed to tell that story.

Nat Parks in my mind is showing application lifecycle on top of infra that is hardened and compliant with our kit.

@NickRycar
Copy link

I've had the idea to do sort of a meta-repo where we could pull in whatever story elements are required. I've been using this one as my baseline, since it's the most "kitchen sink" repo of all the post-BJC materials, but probably worth figuring out how we'd want such a thing to be shaped so we can pull in/wrap useful content in repos like this one without duplicating a lot of work.

@jmery
Copy link
Contributor

jmery commented Jul 29, 2019

Possibly make use of tf modules @ChefRycar ? i just want to be wary of recreating the BJC hydra of development.

@NickRycar
Copy link

Indeed. I'll look into settin' something up.

@NickRycar
Copy link

Still looking at doing some rearchitecting here for a more permanent way to do a DCA-style demo, but for the time being, I'm going to look at making the Chef Infra and Chef InSpec packages defineable/togglable so that we can more easily get ourselves into an appropriate "broken" state to facilitate telling this story. Stay tuned!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants