I've been working with Terraform for a while now, and I've noticed that there are a few things that people keep asking me about. I thought it would be helpful to write a blog post about some of the most common questions I get asked and share some of the things I've learned along the way. This is not an exhaustive list, and, if you have any feedback or suggestions, please let me know!
Imports your current cloud infrastructure into an Infrastructure As Code Terraform configuration file(HCL) and/or into a Terraform State. Terracognita currently imports AWS, GCP, AzureRM and VMware vSphere cloud providers as Terraform (v1.1.9) resource/state.
In this tutorial, you will learn ways to import pre-existing cloud resources before you continue to develop the IaC in Terraform. This guide will provide you with an IaC import scenario which is often faced by teams starting to adopt Terraform for their operations.
As AWS security professionals we are often asked by customers to validate their use of AWS security services and to give tips and tricks on how to use these services and how others use AWS security services. With this guide we have the goal of more broadly sharing this knowledge with the user community and at the same time give the ability for others outside of AWS to contribute.
Simply, we will be covering best practices for configuring AWS security services. This is NOT overall AWS security best practices. This documentation is not simply a numbered list of best practices. Instead this documentation is meant to walk you through what you need to know before deploying an AWS security service to what you should be doing after enablement and through fully operationalizing the service. Often this is done through discussing different use cases and different factors associated with specific use cases that can help in making design decisions. Following this guide you should feel confident that you have the ability configure and use an AWS security service effectively.
The security helper tool was created to help you reduce the probability of a security violation in a new code, infrastructure or IAM configuration by providing a fast and easy tool to conduct preliminary security check as early as possible within your development process.
It is not a replacement of a human review nor standards enforced by your team/customer. It uses light, open source tools to maintain its flexibility and ability to run from anywhere. ASH is cloning and running different open-source tools, such as: git-secrets, bandit, Semgrep, Grype, Syft, nbconvert, npm-audit, checkov, cdk-nag and cfn-nag. Please review the LICENSE file before use.
Podman is a daemonless, open source, Linux native tool designed to make it easy to find, run, build, share and deploy applications using Open Containers Initiative (OCI) Containers and Container Images. Podman provides a command line interface (CLI) familiar to anyone who has used the Docker Container Engine. Most users can simply alias Docker to Podman (alias docker=podman) without any problems. Similar to other common Container Engines (Docker, CRI-O, containerd), Podman relies on an OCI compliant Container Runtime (runc, crun, runv, etc) to interface with the operating system and create the running containers. This makes the running containers created by Podman nearly indistinguishable from those created by any other common container engine.
Containers under the control of Podman can either be run by root or by a non-privileged user. Podman manages the entire container ecosystem which includes pods, containers, container images, and container volumes using the libpod library. Podman specializes in all of the commands and functions that help you to maintain and modify OCI container images, such as pulling and tagging. It allows you to create, run, and maintain those containers and container images in a production environment.
Harbor is a self-hosted Docker registry that offers a large number of additional features that big companies probably love. Among those features are vulnerability scanning, third party authentication support, cryptographic signature and authentication, and a GUI.
When you use Docker Hub, this is what you're using.
docs/deploying.md describes how to deploy Registry as a Docker container. They definitely don't make it easy to break out of their ecosystem.
Quay is a self-hosted Docker container registry. Supports Docker registry protocol v2, Docker manifest schema v2.1 and v2.2, image discovery and squashing, third-party authentication, and more.
Github org for Simplenetes, a full implementation of Kubernetes with shell scripts. Does not require root.
Docker re-implemented as a 100 line shell script.
Language focused docker images, minus the operating system. Put a statically linked binary in there and fire it up. Designed with Go in mind.
tfviz analyzes Terraform deployment files and generates maps which depict what it's going to do in production. Right now it only works with AWS environments.
A simple terminal UI for docker and docker-compose. Written in Go, has a full text-based UI for monitoring and exploring your containers. Tries to make it easier to work with Docker and docker-compose. Keeps everything in a single terminal window with shortcuts for common Docker commands. You can add custom commands, too. Seems to also support mousing around.
This repo contains a CLI tool to delete all cloud (AWS, Azure, GCP) resources in an account. cloud-nuke was created for situations when you might have an account you use for testing and need to clean up leftover resources so you're not charged for them. Also great for cleaning out accounts with redundant resources.
A number of Github repos of code meant to be used to harden servers in various ways prior to deployment.
k3s is intended to be a fully compliant Kubernetes distribution with the following changes:
Legacy, alpha, non-default features are removed. Hopefully, you shouldn't notice the stuff that has been removed. Removed most in-tree plugins (cloud providers and storage plugins) which can be replaced with out of tree addons. Add sqlite3 as the default storage mechanism. etcd3 is still available, but not the default. Wrapped in simple launcher that handles a lot of the complexity of TLS and options. Minimal to no OS dependencies (just a sane kernel and cgroup mounts needed). k3s packages required dependencies
wait-for-it.sh is a pure bash script that will wait on the availability of a host and TCP port. It is useful for synchronizing the spin-up of interdependent services, such as linked docker containers. Since it is a pure bash script, it does not have any external dependencies.
A compiled list of links to public failure stories related to Kubernetes. Most recent publications on top.