because drift matters
We recently released the first versions of driftctl, a new open-source project for infrastructure developers, DevOps, SRE, and cloud practitioners, with the goal of helping manage all kinds of drifts.
Why? Because infrastructure is a living thing and changes are risky.
In the team, we all managed cloud infrastructures at some level at our previous jobs, as developers with serverless function needs or DevOps managing large production systems. And we all knew that sometimes an emergency required a manual change, a customer tweaked a setting on the console, the boss activated something that had an impact later…or put more simply, that the whole infrastructure was just not totally under control by Terraform (or similar tool), just because ops life in production is rarely perfect and ideal.
And all those tiny changes sometimes got forgotten about, or partially implemented in infrastructure-as-code later…
How a simple manual change in an AWS Security Group using the AWS Web Console can have bitter security consequences
In this article, we’ll show how a simple manual change in an AWS Security Group using the AWS Web Console can have bitter security consequences. This one is based on many first-hand experiences and user feedback, in a production context with infrastructure-as-code.
Allowing PgSQL (with Terraform)
For this article, we’ll take the example recently experienced by a team we know. They secured access to their PgSQL instances with this simple Terraform configuration, allowing only the web servers subnet:
// Secure the PgSQL RDS cluster using a dedicated SG
resource "aws_security_group" "pgsql" {
name = "PgSQL Security Group"
description = "PgSQL Security Group"…
How minimizing our attack surface with CircleCI Contexts helped us pass the Codecov bash uploader security issue unharmed
What is Codecov
For those who don’t know Codecov, it is an online platform for hosted code coverage reports and statistics founded in 2014. According to their website, over 29,000 organizations and more than 1 million developers use their tools. The list includes Google, Atlassian, The Washington Post, RBC, and Procter & Gamble Co.
Its main tool, the Bash Uploader, is used to send code coverage reports to the platform. Those reports help developers measure how well their source code is covered by tests. This is the main reason why it is widely used among developers and organizations.
What about the breach?
On April 15th, 2021, Codecov…
Here’s why we bring a new open source DevOps tool
As we celebrated the initial release of driftctl 3 months ago, we certainly hoped for some sort of acknowledgement or favorable opinion from those who would use it, but we were not prepared for such a warm welcome.
Reflecting on the first steps of the project, the fast moving star history and the contributions and interactions we have benefited from, we are both grateful and humbled by the support we receive from the open source community.
Why we launched this DevOps tool in the first place
At CloudSkiff, we are all fans of GitOps. We are big believers in the power of Infrastructure as Code and all its benefits.
We…
…You can’t catch ’em all
This talk covers three major topics:
- Infrastructure as Code: all the good intentions and the ideal world each of us expected when we started using it, and how it’s actually going in everyday’s Ops life. We will see that how it started is probably different from how it is going and from what we expected.
- We will then “drift” together, using Terraform and AWS and share some war stories that we heard from infrastructure teams, and how things sometimes went really wrong for them.
- We will finally present driftctl, our open source answer to infrastructure drift problems.
Infrastructure drift: definition
Let’s first agree…
Learn how to use driftctl in a real-life environment, with multiple Terraform states and output filtering.
Whether it’s a script gone wild, a bad API call from a trusted Lambda, or just the daily SNAFU, you want to know about the situation.
Driftctl will do just that. In this guide, you will learn how to use driftctl an open source tool that tracks and warns of infrastructure drift, in a realistic real-life environment, with multiple Terraform states and output filtering. We will demonstrate how manual changes can impact drift detection and how driftctl complements Terraform plan!
Requirements
We recommend using an…
When talking about infrastructure drift, you often get knowing glances and heated answers. Recording gaps in your infra between what you expected to be and the reality of what is, is a well known and widespread issue bothering hundreds of DevOps teams around the globe. Interesting to note though, is that depending on their context, the exact definition they will give of drift will vary.
Facing impacts and consequences ranging from intensive toil to dangerous security threats, many DevOps teams are keenly aware of the issue and actively looking for solutions.
We decided to look more closely into how they…
How do you start managing several Terraform environments?
The need to manage multiple Terraform environments is very common. Indeed, getting started is one thing but then you end up with various environments that you need to manage, several teams, etc… So how do you manage terraform when you start having several environments like dev, staging, prod, and how do you manage the complexity?
Manage multiple Terraform environments : getting started with TF Files
If you need to manage several Terraform environments, there are a lot of ways to ramp up your approach and get started.
Getting started step by step with single tf files. The task can be daunting to know all the good practices at first, and…
How to type Terraform variables? Declaring strings, lists, booleans, and objects within your Infrastructure code is possible and will save you from many mistakes. Here’s our take on how to deal with it.
How to type variables in Terraform?
People often ask: can you, and should you declare variables in Terraform?
One of the biggest issues I had in my “Chef” days was that I could multiply strings by booleans which used to create very nice issues in production.
So, yes you can type variables in Terraform. Let me show you an example :
Key Steps to a good quality for your Infrastructure Code.
Terraform code quality is important and there are a lot of tools to improve it. A lot of them are quite difficult to use. Here are a few tools that we find really useful and can be set up in minutes for you.
Terraform code quality starts by the basics with Terraform Validate
Terraform works with providers for each cloud and has resources. Basically, you can see it as an instance to launch in which you describe what you want. Let’s see how internal tools can help you improve your Terraform code quality.
Terraform validate is a subcommand in Terraform that will only address structure and coherence, which means that…
Driftctl
Protecting codified infrastructures
