One of the first things I learned as a junior developer was to never push secrets to git. Sharing the secrets needed to bootstrap an environment has always been a bit wonky and I often wonder if we are not creating bigger security holes than what we were trying to avoid with not having secrets in a (private) repo. Another side effect of not having a proper way to handle secrets is that these things do not get rotated as often as they should have.

It is important to note that tools like HashiCorp Vault address a lot of the…

If you’ve been working in AWS for long enough, you will know that nothing good comes from configuring resources in the console aka ClickOps. That being said, having a hard and fast rule that everybody should only have ReadOnly access in the console is also not great. I wanted something that would trigger when people are taking manual actions in the console and alert the team to investigate why this was done and what needs to be done to get our IaC deployment in sync with these changes.

For this reason, I’ve created ClickOops, a simple Lambda that monitors your…

We recently changed the default tags added to all the resources we provision in AWS for one of our clients. We also made some other more serious networking changes during the same release. This resulted in quite a hairy Terraform (tf) plan that we had to review.

If you’ve used tf for provisioning large environments you will know that the text plans that gets generated can be tricky to read and sometimes a small change (like a tags change) can result in a plan where the more important changes can get lost in all the noise. In a process to…

We’ve recently been asked to submit a proposal to rewrite a client’s application. The application has been in production for over 10 years and although it is still working, the ageing tech and lack of maintenance have become a blocker for the business.

We were not the first developers to be approached with this task, in fact, two other companies had tried to do the rewrite, but without success. This was a red flag for us, this signalled that the relationship between the client and software developers were anything but ideal. We’d rather not take on a new project than…

Resource looping has come a long way since I started using terraform, and with 0.13 around the corner it is time for us to say goodby to count .

If you are new to terraform or have not really built dynamic environments, let’s quickly recap what count is. Imagine you have to manage security groups in AWS. To achieve this you create a aws_security_group resource and copy-pasta it a few times, changing the relevant arguments.

Quickly you realize this is not fun, so you create a variable to hold all the security group arguments. …

making it easy to do dumb stuff

If you use terraform you will inevitably find yourself needing to only apply changes to a certain resource without affecting other resources. Hashicorp knew we would be needing this functionality and gave us the -target argument to use during plans, applies and destroy operations.

Resources targeting is generally seen as bad practice and for this reason, the terraform team has not made it easy to target multiple resources or target resources using patterns.

Unfortunately every now and again you find yourself needing to apply all resources except one. This scenario requires you to target every resource that you want to…

IAM Policy Evaluation
IAM Policy Evaluation

Mid 2018 AWS released IAM Boundary policies, and it was immediately clear why they existed and where we could use them. This year AWS announced Session policies, but unlike boundaries it was not as obvious why they were created and how to use them.

In this post I’d like to show how to use them in code and possibly how they could be used in the wild.

What does a Session policy do?

22 April 2018, the team at PeckShield discovered a bug in BEC token contract. This bug allowed attackers with a zero balance to pay really large amounts to whoever they wanted. This would completely dilute the value of any token and by the time the you realize your beloved token is worthless, hackerman is long gone.


In programming, numbers cannot get infinitely large and at some point if you keep on adding to a number it will overflow and “reset” to zero. In this contract’s case that magic number was 1.1579209e+77, which is really a lot (of anything). To put…

Unlike your mother, the blockchain will never forget

Recently at a blockchain conference I learned of the General Data Protection Regulation (GDPR) and more specifically Art. 17 Right to erasure, The Right to be Forgotten. The speaker noted that if your DApp should put personal data on a blockchain it would be impossible for you to comply with Art. 17, since data on a blockchain cannot be modified or deleted.

Blockchain and GDPR’s Art. 17 is fundamentally not compatible with each other.

I took this insight for-granted and thought , “of course, this is why we are here”, just to realize that many are stunned and amazed by…

Originally published at

When I started with Javascript, I was oblivious to its asynchronous ‘nature’ (to mention one) and what exactly that meant to me as a programmer?? As I started hacking away at the forest that is JS tutorials, it came to my attention that there is a bit more to JS than simply updating a DOM element!?!

Terms like single threaded, non-blocking IO and asynchronous events were being thrown around and it took me a good while to get to grips with them. The purpose of this post is to reaffirm my understanding of these concepts and…

Paul Zietsman

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store