Infrastructure Setup

[00:00:00]
>> We're finally at the point where we're actually ready to start building things. So we're gonna build some infrastructure between today and tomorrow. And we're gonna be focusing on a lot of different components. So the first thing I'd like to do is I would like to for starters, make sure that you know, all the providers that we're choosing.

[00:00:19]
So these URLs right here are all the links that you will need. So, yes, we are doing things now. These are all the links you'll need to basically sign up for accounts if you dont have an account with these specific things. And if you have the slides, feel free to do this now.

[00:00:36]
But what we'll need is we'll need each one of you to make sure you have a Doppler account, a GitHub account, a Terraform Cloud account, and an AWS account. And we'll go through, we can go through these more individually in a second, but if you want to get started on that now you're more than welcome to.

[00:00:52]
You might see one of these and say like we haven't talked about this at all, why is this on the list? Doppler so it was brought up earlier like how do you manage secrets? Right? Like how do you make sure you're not like daxing yourself and stuff like that?

[00:01:05]
And for a long time, I didn't really have a good answer to that [LAUGH] to be honest. I use vault in production like as a hashey corpse vault as like a secret safe for services, but I didn't have one for like development like right now if we're gonna build a whole bunch of Amazon stuff.

[00:01:22]
How do I make sure I don't share my keys with you guys stuff like that and so yeah, the TLDR is doppler is a CLI tool that makes it so that you can inject secrets into your CLI while you're running commands. And so what you do is you go into Doppler.

[00:01:42]
And we'll do this again, I'll show you in a second. But you go into Doppler, you create a configuration with your secrets inside of it, and then the CLI will enable you to essentially pipe those secrets into the environment and so that you can do it securely and have a separate place for your secrets.

[00:01:59]
I highly recommend Doppler. I really, really think it's a good product especially if you're somebody who has dot files and dot m's laying around everywhere and doesn't know how to save any of these things, Doppler will is a really, really good product and it'll help you, at least from a developer perspective, manage your secrets for you a lot better.

[00:02:19]
GitHub Actions, like I said, there's a lot of ci, cd stuff on there. I decided to go with GitHub Actions just because source control's right next to our pipelines. What I mean it's all in one place. We don't have to go and create a whole another account or sign up another thing.

[00:02:34]
And so in this case it's right there. We just add a file and it works. And the last one, Amazon we went with Amazon just because it's the most used it's the most commonly used. And a lot of the principles in what we're gonna build should be easily movable to other cloud providers if you need.

[00:02:56]
>> There's a question on secrets in general like what I guess in your experience is the biggest risk with secrets what are you trying to prevent cuz
>> Giving developers access to them. [LAUGH] Yeah. So we don't let developers in production touch secrets at Hippo. They can touch it in any other environment, but they cannot touch them in production.

[00:03:25]
We realized that they didn't care enough to make it worthwhile to let them do that. And it's not rudeness. It's just like, it's so hard when you're focused on building the feature to then also have the energy to be like, okay now let me deploy it. And so we realized that with production at least because it's so sick, like we had it's the thing we need up all the time we decided that that would be something we took care of.

[00:03:53]
And so with that, there's actual proper policy where you have to create a ticket. You have to tell us which variables you want, where you want them added. And then we will go in and add them for you. In other environments, though, developers can do it themselves. So we have vault.

[00:04:09]
There's other solutions out there. And they can go in and make their changes and they basically, they can do all their changes before production, to test what they want without us, right? But then the moment it goes to prod, that's when we say, okay, give us the secrets and we'll update it.

[00:04:26]
So we just don't let them do it, yeah. [LAUGH] As for local dev and stuff, we don't even use Doppler at Hippo. Which is something I wish we did. So at Hippo, we just good, old-fashioned .m files and copying and pasting and readme docs. And yeah, we're talking about an enterprise company with over 150 developers.

[00:04:47]
It just kinda shows you that it still is a pretty common way of doing stuff. But it also goes to show you that that's not something that's trying to be improved. So we took that responsibility and we said alright if it's prod you have to follow through us if anything else just break it yourself.

[00:05:07]
Our motto really is, if it's pre-production, break it, we don't care. Prod is the only thing we really care about. So yeah, I do think that if you're gonna have secrets though, at least at your company, using a service like Vault, or even Doppler, something that can store them for you.

[00:05:25]
And have a database around that and stuff like that, even in versioning. If you change a secret and then you're like, no, what was that last secret? I got a revert. That's things Doppler things like that Vault can help you with that. So, secrets again, they're massively, they're intrinsic on two things.

[00:05:42]
One, your implementation, like how you're deploying software, all that kinda stuff, and then two, your security policies. How often are you gonna rotate your secrets, who has access to them, things like that. So I really do hope that we start using Doppler more at Hippo, because you can do that with Doppler, for example.

[00:05:59]
You can have teams, you can have users, and then you can have configs. And the idea is, is what we'll show you in a minute is you can create a config for service and then give only specific users access to that config and Doppler, and then they can manage that and update it and it'll be dynamic.

[00:06:15]
And not only that, then they can run it locally. And it's all in one place and really easy to manage so hopefully we'll do that in the future but yeah we don't even do that yet