Introduction
About a week ago, there was a thread on /r/sysadmin from a guy who was having a really hard time with coding and automation. As someone who experienced many of the same frustrations, it highlighted the need for education that is both relatable, and aimed at people who don't have a programming background.
Fact of the matter is that coding isn't easy if you've never done it before, but neither is networking, or systems administration, or whatever your specialty happens to be. As with all things, they key is to start with the basics, and then build up to more advanced concepts over time. This post will be an attempt to provide a foundation to help folks feel a little less lost.
With the introduction out of the way, let us begin.
What is automation, and why does it even matter?
Like many trendy terms, "automation" can mean something slightly different for everyone. For the purposes of this post, I'll keep it simple and define it as a "force multiplier", that is, something that enables you to do more with less by abstracting away the tedious stuff.
The ability to make changes faster how people usually try to sell automation, but I believe the real benefit lies in increased predictability. What does this mean? Well, by automating processes you:
-
Minimize the potential for human error and make deployments more predictable
-
Enforce standard configurations for resources to make their behavior more predictable.
A practical example is in making VPN tunnels, where it's unfortunately easy for a tiny mistake to cause the whole thing to fail. You can reduce the risk of silly mistakes by making a script that takes a standard set of inputs and applies all the relevant configuration to your firewall.
Of course. it will still fail if your inputs are bad, but it's your job as the operator to make sure you're entering the right information. Computers are fundamentally stupid, so garbage input will always result in garbage output.
On a related note, I intend to open source some of Ansible playbooks I've written for Palo Alto firewalls sometime in the near future so that there's an actual, tangible example to work with.
Before you start
The first step, before even looking at any particular technologies, is to step back and take a critical look at your environment and ask yourself this:
1. What kind of problems do you have, and how will automation help solve them?
This may sound like a dumb question, but I put it first because it's actually the most important. Technology should not be implemented simply because everyone else is doing it. Any undertaking that doesn't have a clear goal is pretty much destined to be abandoned.
To that end, your first goals should be to focus on easy wins. Still doing config backups manually? Fix that. Want to find out what NAT rules there are on 10 different routers? Do it.
Point is, have concrete goals right from the outset. and then move on to the fancy stuff.
2. Understand that not everything should be automated
Frankly, some things aren't worth the time or effort. As a general rule, if automation makes a process more complicated with no added benefit, then something's wrong.
General principles
1. Be practical, not clever
Generally, any code you write should not be convoluted and hard to understand. If you find yourself using crazy complex logic in your code, consider stepping back to see if the process can be altered to make it simpler. Doesn't matter if it's not the most elegant solution as long as it gets the job done reliably.
2. Use good tools
I've tried writing playbooks in nano and copying my files to a different folder for backups, and it sucks. Using a good editor and version control makes life much, much easier. Personally I use VSCode with git for everything, but I'm sure there are many other options as well.
3. Have realistic expectations
Learning new skills isn't at all easy, but it's definitely worth the effort. Struggling to understand concepts that may be obvious to others doesn't mean you're dumb, it means you're gaining new experience.
What now?
I fully recognize that the contents of this post aren't actionable, but felt it was necessary as a sort of introduction. I also deliberately didn't go into details on any particular languages or frameworks because this is foundational information that applies to everything.
The second post in this series will be more practical, with some example firewall changes in ansible using:
- simple variables
- arrays
- loops
- maps (dicts)
- functions (roles)
I'm using use ansible since I'm familiar with it and it's easy to understand, but these concepts will apply everywhere.
That's about all I've got for now; hopefully y'all found this useful.
For those have starting going down this path, was there anything you found especially difficult? What advice would you have for people who just starting out?
Frankly, I just want to talk about this stuff for my own edification as well, so any discussion is welcome