How it Works
dragondrop is a self-hosted container that codifies un-controlled cloud resources, identifies drifted resources, and identifies the processes creating resources outside of your Terraform workflow in the first place.

Sign-Up & Create a Job
Create a Job within dragondrop using the web application.
Create Serverless Container Compute in Your Cloud
Create a serverless compute instance in your cloud that is HTTP triggerable, and import our publicly available container. We provide Terraform modules that create the needed compute in minutes.
Configure Your Job With Environment Variables
Because no information about your cloud posture ever touches dragondrop servers, configuration details are specified for each Job as environment variables. Specify the VCS repository, state files, and public cloud divisions that dragondrop should scan. All public cloud permissions should be read-only.
Client-side environment variable validation makes setting up your env variables as quick and easy as possible.
Get Suggestions in Your Version Control System (VCS)
Receive the following in a pull request within your VCS: 1) Uncontrolled cloud resources codified as Terraform along with needed import migration statements. 2) Identification of drifted cloud resources. 3) Identification of the users and service accounts changing your cloud outside of the Terraform workflow. 4) A “State of Cloud” report output via a Pull request comment that summarizes the results of the Job run.
Run Migrations Programmatically within Your Existing CI/CD Pipeline
Programmatically “plan” and “apply” import migration statements generated by dragondrop within your existing CI/CD GitHub Actions pipelines.
Identify the Root Causes of Drift with Cloud Actor Identification
Each job outputs a “State of Cloud” report which, in addition to high-level summary of the changes identified, surfaces the user accounts and cloud actors responsible for creating and modifying cloud resources outside of your Terraform workflow.
Frequently Asked Questions
What Public Clouds Do You Support?
We currently support AWS and GCP. Support for Azure expected in April of 2023.
What Terraform State Backends Do You Support?
dragondrop currently integrates only with Terraform Cloud as a remote state backend. We are currently alpha-testing our support for S3 backends. Support is also planned for Azure Blob Storage, and GCS.
Does dragondrop Make Changes to My Cloud?
No. dragondrop should only be granted read-only access to public clouds. All suggested resources-to-import from dragondrop must be first approved by authorized developers within your VCS and are only to migrating existing resources to Terraform control. dragondrop’s CI/CD process fails if any Terraform changes are detected other than a direct import of already existing resources.
What VCSs Do You Support?
We currently support GitHub. Support is planned eventually for Bitbucket and GitLab as well.
What CI/CD platforms are Supported?
dragondrop currently supports GitHub Actions. If there is sufficient interest, we will build support for CircleCI as well.
How Is My Cloud Kept Secure?
dragondrop’s container runs hosted within your cloud, and with all recommendations placed directly into your VCS, no information about your cloud posture leaves your existing tools. dragondrop’s servers only have visibility into when a job starts, when it completes different stages, when it finishes, and generic bug reports. Audits of this can be supplied upon request.