As Infrastructure as Code is becoming mainstream, organizations are leveraging additional tools to extend IaC functionality, whether it’s a matter of making IaC more manageable, or managing multiple environments. Today, we are excited to announce the integration with multiple IaC management tools, often referred to as TACOS (Terraform Automation & Collaboration Software). The cloud ecosystem should be all about integration, to easily deliver cloud services to organizations while making sure the cloud infrastructure is secure.
While Terraform helps you build infrastructure as Code (IaC) for multiple cloud environments, it only provides the basic building blocks. As organizations scale up the use of Terraform, its maintainability becomes an issue. One of the main challenges is repeating the same code in different modules. A large environment with multiple accounts can quickly become unmanageable. To solve this issue, organizations use Terragrunt to extend Terraform’s functionality.
Terragrunt is a thin wrapper that provides extra tools for keeping Terraform configurations DRY, working with multiple Terraform modules, and managing remote state. DRY means don’t repeat yourself. This helps to eliminate self-repeating modules.
Today, we are excited to announce the support for Terragrunt with Indeni Cloudrail. When Cloudrail finds a violation in a mandated rule, it will return a non-zero exit code of the Terragrunt run.
# terragrunt plan -out plan.out [terragrunt] 2021/02/09 10:50:56 Reading Terragrunt config file at /Users/grunt/code/cloudrail-demo/terragrunt/terragrunt.hcl [terragrunt] [/Users/grunt/code/cloudrail-demo/terragrunt] 2021/02/09 10:50:56 Running command: terraform --version [terragrunt] [/Users/grunt/code/cloudrail-demo/terragrunt] 2021/02/09 10:51:00 Running command: terraform init ... [terragrunt] [/Users/grunt/code/cloudrail-demo/terragrunt] 2021/02/09 10:51:17 Detected 1 Hooks [terragrunt] 2021/02/09 10:51:17 Running command: terraform plan -out plan.out ... This plan was saved to: plan.out To perform exactly these actions, run the following command to apply: terraform apply "plan.out" [terragrunt] 2021/02/09 10:51:35 Detected 1 Hooks [terragrunt] 2021/02/09 10:51:35 Executing hook: cloudrail_after_hook [terragrunt] 2021/02/09 10:51:35 Running command: docker run --rm -v /Users/grunt/code/cloudrail-demo/terragrunt:/data indeni/cloudrail-cli run -d . --tf-plan plan.out --origin ci --build-link https://somelink --execution-source-identifier build-id --api-key myapikey --auto-approve Preparing a filtered Terraform plan locally before uploading to Cloudrail Service... Running a customized Terraform show using a customized version of Terraform to produce a detailed resource map. This is the longest phase of the evaluation, as it includes downloading Terraform plugins and providers, as well as a re-calculation of the plan... Filtering and processing Terraform data... Obfuscating IP addresses... Submitting Terraform data to the Cloudrail Service... Your job id is: 15b4201b-3a7f-4660-b5b6-0ec39c4d5184 Cloudrail Service accessing the latest cached snapshot of cloud account 123456789012. Timestamp: 2021-02-09 15:41:34Z... Building simulated graph model, representing how the cloud account will look like if the plan were to be applied... Running context-aware rules... Returning results, almost done! Assessment complete, fetching results... ERRORs found: Rule: EC2(s) within the public and private subnets should not share identical IAM roles Description: Having the same IAM role for both public and private instances may be dangerous. Someone may expand the permissions for the role in order to use it in a private workload, not realizing a public workload has the same privileges. - 1 Resources Exposed: ----------------------------------------------- - Exposed Resource: [aws_instance.priv_ins] (main.tf:107) Violating Resource: [aws_iam_role.test_role] (main.tf:51) Evidence: Instance ['aws_instance.pub_ins'] | Instance is publicly exposed | Instance uses IAM role aws_iam_role.test_role | Private EC2 instance shares IAM role aws_iam_role.test_role as well Instance aws_instance.priv_ins ----------------------------------------------- Summary: 7 Rules Violated: 1 Mandated Rules (these are considered FAILURES) 6 Advisory Rules (these are considered WARNINGS) 111 Rules Passed NOTE: WARNINGs are not listed by default. Please use the "-v" option to list them. To view this assessment in the Cloudrail Web UI, go to https://web.cloudrail.app/environments/assessments/15b4201b-3a7f-4660-b5b6-0ec39c4d5184 [terragrunt] 2021/02/09 10:52:21 Error running hook cloudrail_after_hook with message: exit status 1 [terragrunt] 2021/02/09 10:52:21 Hit multiple errors: Hit multiple errors: exit status 1
For more details about the Cloudrail/Terragrunt integration, visit our Github repo.
env0 is a self-service cloud management platform for IaC architecture. With the rapid adoption of IaC, organizations need more governance when it comes to deploying cloud infrastructure. The best practice is to apply controls and establish cloud credentials for who can apply changes. Env0 also makes it easy for teams to add Cloudrail IaC security scans to your CI/CD pipeline.
If Cloudrail finds a violation in a rule that is set to Mandate, the env0 environment deployment will be stopped.
You can see the specific violations that were found under the Mandate rules.
For more information about how the integration works, visit here.
Spacelift automates the management of cloud infrastructure. They consider themselves the first all-in-one CI/CD for IaC. It enables collaboration, automates manual work and compliance, and lets teams customize and automate their workflow.
Indeni Cloudrail automates infrastructure compliance. Together, the integration prevents an insecure cloud environment from being deployed in an automated fashion.
For more information about the integration, visit here.