Python dependency management is known to be bad. Over time, I’ve decided the only way I’m willing to live is to push my Python environment hygiene to the max. As I’ve recommended my setup to a lot of people, I figured I should write it up as a reference.
This is what I aim to accomplish in my Python setup. You don’t have to agree with these tenets, and if you don’t, feel free to ignore any of the advice that follows as it flows from them.
I see a lot of people who aren’t fully aware of the difference between
~/.aws/credentials. While it is more or less fine to just use one or the other, I think it’s worth understanding their intended purpose. So here’s a short explainer.
The idea is that
~/.aws/config is the main file, where you create profiles with the region, output format, and non-sensitive setup, like a profile that assumes a role based on another profile, an AWS SSO-authenticated profile, or a credential process. It’s a file you can (and maybe should) commit to source control.
~/.aws/credentials, on the other hand, is for secrets. Access key + secret key. Maybe a session token if you’ve got some temporary credentials you want to use, but you’re probably better off putting those in env vars since they’re temporary anyway. …
InGraph is CloudFormation in Python syntax instead of YAML
I’m on the record as preferring declarative infrastructure as code (IaC) to imperative versions, such as the AWS CDK. I believe that declarative IaC has a lower total cost of ownership (TCO).
But while I prefer declarative to imperative, imperative IaC enables something I consider much worse: infrastructure as imperative programs that generate declarative IaC documents. Almost all imperative IaC frameworks work this way. There are two aspects to this that I consider particularly damaging.
First, these programs are generally not enforced to be deterministic, and when it’s not enforced, people are always going to find clever ways to solve their problems by externalizing state, and now your CI/CD process doesn’t have repeatable builds. …