What’s New?
Have you Upgraded to Terraform 0.14?
We have! It has definitely brought some exciting new features.
Concise Diff
terraform plan, terraform apply,
and terraform show
now hide unchanged and irrelevant fields by default. The diff displays only a subset of the resource clearly making it easier to understand what changes Terraform intends to perform.
Sensitive Input Variables and Extended Provider Schema Sensitivity
Input variables, module outputs, and optionally, provider schemas, may be marked as sensitive.
Values from cli output for input variables marked sensitive
will be redacted. Module outputs that have the attribute, sensitive=true,
set will have those values redacted throughout the plan. This helps prevent unintended exposure of values to systems that consume Terraform output such as logging and version control.
Provider Dependency Lock File
The new dependency lock file, .terraform.lock.hcl,
by default, helps simplify Terraform automation for providers from remote registries. Updating the providers can now be achieved by running terraform init -upgrade
Terraform 0.14.x also introduces state file forward compatibility, two new validation conditions, all
and any,
for variable validation and Linux ARM64 support.
Take a deeper dive into Terraform 0.14.x and beyond here.
The Open Policy Agent
(OPA, pronounced “oh-pa”) is an open source, general-purpose policy engine that unifies policy enforcement across the stack. OPA provides a high-level declarative language that lets you specify policy as code and simple APIs to offload policy decision-making from your software. You can use OPA to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more. Policy enablement empowers users to read, write, and manage these rules without needing specialized development or operational expertise. When your users can implement policies without recompiling your source code, then your service is policy enabled.
Learn more at https://www.openpolicyagent.org/docs/v0.12.2/#policy-enablement
RDS on Graviton2 (ARM Architecture)
Our RDS instances are now ready to take the ARM advantage using Graviton2 on AWS. Instances can easily be matched to your workload to benefit for best price performance.
M6g - Best price performance for general-purpose workloads with balanced compute, memory, and networking
T4g - Best price performance for burstable general-purpose workloads
C6g - Best price performance for compute-intensive workloads
R6g - Best price performance for workloads that process large data sets in memory
Up to 40% better price performance over comparable current generation x86-based instances for a wide variety of workloads, including application servers, micro-services, high-performance computing, electronic design automation, gaming, open-source databases, and in-memory caches. The AWS Graviton2 processors also provide enhanced performance for video encoding workloads, hardware acceleration for compression workloads, and support for CPU-based machine learning inference. They deliver 7x more performance, 4x more compute cores, 5x faster memory, and 2x larger caches.
Find the Graviton details at https://aws.amazon.com/ec2/graviton/
Infection Monkey Breach and Attack Simulation
We have extended our BAS toolchain to include the open source Infection Monkey. We use it to assess the resiliency of private and public cloud environments to post-breach attacks and lateral movement.
It provides attack and detection capabilities. Attacks such as Sambacry, Shellshock, ElasticGroovy, Struts2 and more with detection for Credential Analysis, Alerts on cross segment traffic, Tunneling and others.
Infection Monkey is also able to provide Actionable Secure Insights to further harden the system and can run on numerous platforms. Automated testing of security on a regular basis provides a proactive approach to ever increasing attack vectors.
Let the monkey guide you at https://www.guardicore.com/infectionmonkey/
Useful Reading
Kubernetes API specs: When you want to know the intricate inner workings of K8s the Kubernetes API specs is your friend. https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/
TFenv makes managing multiple Terraform cli versions trivial, a must have for any infrastructure toolkit. https://github.com/tfutils/tfenv
Love GitOps? Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. https://argoproj.github.io/argo-cd/
The OWASP DevSecOps Guideline focuses on explaining how we can implement a secure pipeline using best practices and introduces relevant tool sets. https://owasp.org/www-project-devsecops-guideline/
Fun Stuff
RNA-Seq pipeline
For the data science adventurers out there, this should get your juices flowing. The example shows how to put together a RNAseq pipeline with basic functionality. It maps a collection of read-pairs to a given reference genome and outputs the respective transcript model. https://www.nextflow.io/example4.htmlSkype Bot controls Jenkins
Make your life easier and have fun doing it by using Docker to control Jenkins with a Skype Bot! https://eljoujat.github.io/2015/07/09/jenkinsbot.html