The Reese’s Cup of DevOps: Terraform + GitOps
What is GitOps?
We like the definition that GitLab gives for GitOps:
“GitOps is an operational framework that takes DevOps best practices used for application development such as version control, collaboration, compliance, and CI/CD, and applies them to infrastructure automation.”
Essentially, the application git-enabled, development best practices that are to infrastructure operations. Hence, “GitOps”.
What is Terraform?
Terraform is the leading Infrastructure as Code tool. An open source tool, it allows users to manage, through code, third-party APIs, generally using declarative HCL statements. It’s biggest use case, by far, is for managing infrastructure resources from major cloud providers.
Leveling up Cloud Maturity with Terraform and GitOps
By using Terraform to manage cloud infrastructure, and running Terraform commands through a GitOps workflow, we unlock several advantages:
- Infrastructure is version controlled, and collaborative. With Terraform controlling infrastructure, and Terraform versioned in git, one gets a clear history of how their cloud environment has evolved over time. Collaboration happens in PR comments, vs. stumbling upon an S3 bucket that someone else clicked their way into on the AWS console.
- Leverage the existing CI/CD stack. Is your team a GitHub Actions shop? Or CircleCI power users? In any case, there are many OSS (atlantis, digger, vanilla GitHub Actions) and enterprise solutions that enable infrastructure management via Terraform directly within your existing CI/CD pipelines.
What allows you to truly level up your cloud game, however, is the following:
Community-driven Static Code Analysis tools
Because Terraform is declaratively written, and defines cloud infrastructure, it is possible to use Terraform as a proxy for your cloud, and to perform static analysis over it to ensure:
- Security & Compliance: Use tools like checkov, terrascan, and tfsec to ensure infrastructure changes align with security best practices.
- Cost Controls: Tools like infracost enable cost estimations on infrastructure changes, prior to them being applied.
- Policy Application: Run OPA on
terraform planjson output, or against HCL via conftest to enforce specific organizational policies like “every resource needs to have a ‘department’ tag”.
With Terraform run through a GitOps workflow, we’ve unlocked security, cost controls, and policy compliance for our cloud environment. Is there anything stopping us from cloud perfection?
Barriers to Entry: Resource Drift and Un-codified Resources
There are two main speed bumps to achieving cloud supremecy, and they both derive from the same fundamental truth: in order for Terraform to be most useful, it must accurately represent your entire cloud, and do so as often as possible.
This requirement is broken the following ways:
- Terraform Drift: Drift happens when resources managed by Terraform are altered outside of Terraform. This can happen through actions taken by a user in the cloud console, on the CLI, or through application code. If that EC2 instance has its instance size increased manually through the AWS console, no OPA policy or infracost scan will catch it.
- Un-codified resources: Often when teams are building fast, or are new to Terraform, they can have a lot of unmanaged resources. No matter if you include checkov, tfsec, or terrascan in your CI pipeline, if cloud resources are outside of Terraform control, no security results will come back.
Conclusion & Next Steps
Terraform and a GitOps workflow is a tried and true way to get your organization to cloud maturity. While the effort needed for implementation of a best-practices GitOps workflow is not trivial, it sure beats cost overruns and security vulnerabilities. Furthermore, Terraform drift and un-codified resources will prevent your org from getting the most out of this paradigm.
Lastly, because of these challenges and the value of Terraform + GitOps, we built, and open-sourced, cloud-concierge. cloud-concierge proactively surfaces drift, codifies un-managed resources, and natively runs static analysis tools (tfsec, infracost, etc.) against the current state of your cloud. Because we are big fans of GitOps, all results are output directly to your VCS as a Pull Request 😃!
Questions or suggestions? Something we missed? Let us know in the comments below!
dragondrop.cloud’s mission is to automate developer best practices while working with Infrastructure as Code. Our flagship OSS product, cloud-concierge, allows developers to codify their cloud, detect drift, estimate cloud costs and security risks, and more — while delivering the results via a Pull Request. For enterprises running cloud-concierge at scale, we provide a management platform. To learn more, schedule a demo or get started today!
Learn More About Terraform
“Everything as Code” Definition Everything as Code is a philosophy for managing IT infrastructure where all components of infrastructure are created, managed, and deleted using code. This applies to container definitions, cloud infrastructure, on-premise server...
What is driftctl? driftctl is an OSS CLI tool that enables users to identify Terraform drift as well as unmanaged resources within a cloud environment. It is a quite popular tool and has collected over two thousand stars on GitHub. Why Would We Want a Replacement?...
Background On August 10, HashiCorp changed the license to their previously “Open Source” projects to a Business Source License (BSL), making them now “source available” for all future releases. We discusssed in detail reasons and motivations for this change here. On...