mnl, 1 year ago

the idea here is to have (simple, this is lisp after all) code generators that take that DSL and output real terraform, and conversely use oak/tree-sitter to extract said DSL back out from the real terraform.

Using graph unification (see cuelang), we can apply validation on both the LLM output, and the real terraform, and unify / diff3 things from both sides.

The concise DSL allows us to prompt the LLM to do refactors without getting bogged down in syntax (which leads to hallucinations).

hazelweakly, 1 year ago

@mnl ooh snap that looks promising. Have you been able to proof of concept any of it yet?

mnl, 1 year ago

deleted_by_author

mnl, 1 year ago

@hazelweakly I don't really know anything about terraform / devops (I struggle real bad), I'd be quite interested in hearing your takes, especially if you looked at the plethora of config scaffolding things out there. cue lang/hof is the one that actually makes sense to me, although I didn't look at say, dhall.

hazelweakly, 1 year ago

@mnl One thing that's really tricky about terraform that isn't obvious is that it's a mapping of JSON to API calls and it's essentially a DAG of RPC calls, combined with a state reconciliation pattern, that maps out a "minimal" set of CRUD operations to achieve a desired state from a given state.

However, the state is theoretically opaque and "should" be transparent. In practice, this isn't true, and the structure of the terraform code (+ symbol names) map to state in a very not obvious way

hazelweakly, 1 year ago

@mnl that all said, much like most other "DAG" APIs, there's a large bias towards wanting to treat everything as a forest of trees (or a set of call stacks, if you like).

There's also a lot of syntax and complexity around representing optional information, merging default data, handling groups of objects, and providing the ability to represent abstractions.

Terraform does all of those somewhat poorly, as can be seen by the state of the AWS community modules. Holy complexity batman 💀

hazelweakly, 1 year ago

@mnl as far as what that means for "real challenges", here's a short list of things that are nearly impossible to automate, everyone runs into them, and nobody has good ways to avoid it because it's too complex to "start off" with these patterns:

• going from 1 to many (resource, env, region, AZ, etc)
• going from concrete resource to reusable module
• adding/mapping/locking-down/reasoning-about ACLs
• migrating from adhoc tf to community modules
• testing
• ephemerality
• complete bootstrap

hazelweakly, 1 year ago

@mnl none of the existing stuff out there really solves any of that imo. What the config lang stuff seems to have (value wise) is making it easier to write reams of boilerplate from a simple config that can be type checked. And yeah, while it's valuable to be able to have a deploy.yml file with

file: Dockerfile
name: myService
domain: my-service.com
acls: [ myCorp::lol, myCorp::lmao ]

And get 2k LoC of terraform from that, it doesn't solve those problems, it just defers them to other people