Infrastructure as Code tools allow you to define infrastructure in the cloud by writing code. Rather than deploying or making changes to your infrastructure manually, users can take advantage of the features typically employed in a code development environment. This approach is a significant part of a successful “shift-left” strategy. “Shifting left” is simply the practice of attempting to find and prevent defects earlier in a delivery process, typically in the creation of software. Adopting best practices around things like templates, testing, monitoring, review, and version control allow you to apply these practices to the “code” that defines your infrastructure.
To learn more about the value of IaC in a security context, check our whitepaper Shifting Cloud Security Left with Infrastructure as Code.
Treating infrastructure like code enables organizations to plan, review, and examine infrastructure (resources) for misconfigurations prior to creating these resources. By taking advantage of Infrastructure as Code's ability to describe resources without creating them, DivvyCloud’s IaC Security enables organizations to implement security controls earlier in their continuous integration/continuous delivery (CI/CD) pipeline (shifting left) and provides an opportunity to address compliance and security concerns before deployment or modifications are made to your cloud infrastructure.
DivvyCloud’s IaC allows users to pull in preconfigured infrastructure templates. Templates are analyzed against Insights, with specific feedback about violations, to determine compliance before infrastructure is deployed.
By taking advantage of the extensive library of existing DivvyCloud Insights, users can get started quickly and see immediate value by analyzing resources before deployment using our built-in Insight Packs or customer-created Insight packs.
DivvyCloud’s IaC Security supports a variety of resource types for Terraform 0.12. You can analyze supported resources for each of the three major public cloud service providers (CSPs): Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
Terraform - 0.11, 0.12, 0.13, 0.14
When creating an IaC Security configuration, the configuration page informs you of any limitations in resource support.
- Fully Supported - resources are fully supported for IaC analysis on all three CSPs
- Partial Support - resources are not supported for certain CSPs; these will be specifically identified
- Unsupported - resources specific to this Insight are not supported on any of the CSPs
Currently all resources are supported using Terraform. Additional supported formats are in development and will be updated when they are available.
AMI (Private) API Gateway API Gateway Domain API Gateway Key API Gateway Stage CloudFront CloudTrail CodeBuild Project Container Registry (ECR) DataSync Task DMS Replication Instance DynamoDB EBS Volume EC2 Instance EFS/FSx EKS/ECS/Fargate Cluster Elastic Network Interface (ENI) ElastiCache Elasticsearch Flow Log (VPC) IAM Group IAM Policy (Customer Managed) IAM Role IAM User IAM/ACM SSL Certificate Kinesis KMS Lambda Load Balancer (ELB/ALB/NLB/Gateway) MQ MSK Instance NACL/Security Group NACL/Security Group Rules NAT Gateway (VPC) RDS Aurora, Neptune, DocumentDB RDS Database, Neptune, DocumentDB Redshift Route53 DNS Zone S3 Bucket Sagemaker Notebook Simple Queue Service (SQS) SNS Topic VPC VPC Peer VPC Subnet
Azure Cosmos DB Azure Firewall Rule Blob Storage Container Container Registry Data Factory Data Lake Storage Gen1 Dedicated Host Disk Key Vault Kubernetes Service Network Interface Network Security Group Public IP Address Redis Cache Resource Group Search Service Security Rules SQL Server, Azure Database for PostgreSQL/MySQL/MariaDB Storage Account Subnet Virtual Machine Virtual Network
Cloud KMS CryptoKey Cloud NAT Cloud SQL Cloud Storage GKE Instance Network Firewall Persistent Disk Pub/Sub Subscription Pub/Sub Topic Role Permission Set Subnet VPC
There are a few things you will need to have available and configured before using IaC. These items include:
- A running DivvyCloud Platform
- DivvyCloud Domain Admin permissions (only domain admins can create/edit IaC configs)
- A working understanding of Terraform and Terraform templates
- An existing version-controlled repository of Terraform templates
- Currently we support TF 0.12, but we are actively testing additional versions. If you have questions on versioning contact us at [email protected]
- An existing integration between version control & CI/CD
Configuring External Tooling
Updated 25 days ago