今日已更新 339 条资讯 | 累计 19899 条内容
关于我们

标签:#terraform

找到 18 篇相关文章

AI 资讯

Adopting Terraform Ephemeral Resources

In version 1.11, HashiCorp introduced Terraform Ephemeral resources and write-only attributes to allow for root configs that do not store secrets in the Terraform statefile. But many users ask about how they can adopt ephemerals. This blog attempts to lay out the ways secrets can be stored in state and how you should update your configurations to remove those secrets. Note: For a primer on ephemerals ( see this blog post ). Scenarios to consider: Data sources that fetch a static secret Resources that receive a secret Resources that generate a dynamic a secret Resources that fetch generated secrets to store in another 3rd party system Scenario 1: Data sources with static secrets Ephemeral resources can often be a drop-in replacement for data sources pulling static values: data "vault_kv_secret_v2" "static_kv" { mount = "kvv2" name = "my_password" } ephemeral "vault_kv_secret_v2" "static_kv" { mount = "kvv2" name = "my_password" } However, using these values has 1 specific difference. The attributes on a ephemeral resource are considered ephemeral and can only be used as ephemeral arguments. That means 2 places: Provider blocks Provider blocks are considered ephemeral, so ephemeral resources may populate arguments: provider "example" { password = tostring ( ephemeral . vault_kv_secret_v2 . static_kv . data . password ) } Write-only arguments Write-only arguments are special arguments that require the ephemeral taint for values: resource "aws_db_instance" "example" { ... password_wo = tostring ( ephemeral . vault_kv_secret_v2 . static_kv . data . password ) } If the resource you wish to pass a value to does not have an available ephemeral, open an issue with that provider. You can reference: this blog post this agent skill Scenario 2: Resources that receive a static secret Without duplicating to the section above, write-only arguments are a way to get secrets out of state. Above has guidance if the secret value comes from a data source, but what if its from a variable?

2026-07-09 原文 →
AI 资讯

Terraform LifeCycle Rules

Day 9 of the 30 Days of AWS Terraform series focuses on Terraform Lifecycle Rules — powerful controls that decide how Terraform creates, updates, replaces, and destroys resources. What Terraform LifeCycle meta arguments are Lifecycle meta arguments allow us to control how Terraform behaves when it creates, updates, or destroys resources. They help us: Avoid downtime Protect important resources Handle changes made outside Terraform Validate configurations before and after deployment Enforcing compliance Controlling replacement behavior Lifecycle rules allow us to override default behavior safely. Lifecycle rules are Terraform-native controls applied inside a resource block: lifecycle { ... } Lifecycle Rules Covered 1️⃣ create_before_destroy — Zero Downtime Updates Problem: Terraform destroys the old resource before creating the new one → downtime. Solution: lifecycle { create_before_destroy = true } Behavior: New resource is created first Old resource is destroyed only after Ensures zero downtime 2️⃣ prevent_destroy — Protect Critical Resources This setting prevents Terraform from deleting a resource. Example If Terraform tries to destroy this resource, it will fail with an error. This is useful for: Production databases State storage buckets Important data resources 3️⃣ ignore_changes — Allow External Modifications Problem: Terraform overwrites manual or automated external changes. Solution: lifecycle { ignore_changes = [desired_capacity] } Demo: Auto Scaling Group desired capacity modified manually in AWS Console terraform apply did not revert the change Behavior: Terraform ignores changes for specified attributes. ✅ Use for: Auto Scaling Groups Resources modified by external systems Ops-driven configurations 4️⃣ replace_triggered_by — Replace When Dependency Changes Problem: Changing a dependency doesn’t always recreate dependent resources. Solution: lifecycle { replace_triggered_by = [aws_security_group.main] } Behavior: When security group changes EC2 instance i

2026-07-08 原文 →
AI 资讯

AWS Is Not Simpler. Agents Just Got Better at Reading It.

I optimized my architecture for the wrong model. I used to think black-box infrastructure was the right abstraction for AI-driven development. Vercel, Supabase, Cloudflare Workers — a sharp contract in front, a managed backend behind — felt like the obvious fit. The less an agent had to reason about, the fewer places it could get lost. Give it a clean interface, hide the messy backend, move fast. I still think that was right for the agents we had last year. I don't think it's right for the agents we're starting to use now. The shift is not that AWS got simpler. It didn't. Setup still takes longer, CI/CD takes more work to wire, and cost control has real limits. The shift is that agents got better at reading complexity — and once an agent can actually use a large structured context, the things I treated as overhead (resources, provider schemas, IAM policies, explicit queues, explicit alarms, explicit networks) become the highest-signal context I can hand it. To keep this concrete, I'm holding the tool constant. This is HCL/Terraform on AWS vs HCL/Terraform on Cloudflare — same language, same workflow, two providers. The inversion Agents are… Best served by… Context-poor (last year's loops) Black boxes — shrink the surface, hide the backend Context-rich (now) Inspectable systems — describe everything as code The one-line version: The better agents get at reading, the more valuable explicit infrastructure becomes. I didn't become more pro-AWS because AWS got easier. I became more pro-AWS because agents got better at reading it. Same Terraform, two providers The interesting comparison isn't AWS-elegance vs Cloudflare-elegance. It's how much of the infrastructure topology and operational contract an agent can reconstruct from the HCL plus the provider schema alone. Terraform × AWS Terraform × Cloudflare Provider maturity AWS provider is about as battle-tested as IaC gets; enormous public corpus of modules/examples v5 is a ground-up, OpenAPI-generated rewrite — improving

2026-07-07 原文 →
AI 资讯

Scaling Terraform Infrastructure Beyond a Single Team

When a single engineer manages all the Terraform in an organisation, everything is simple. One repo, one state, one pipeline, one set of credentials. There's no coordination overhead because there's no one to coordinate with. That stops working the moment a second team needs to deploy infrastructure. And by the time you have three or four teams — networking, platform, application, security — the single-team model is actively slowing everyone down. This guide covers what breaks, how teams typically work around it, and how to set up a structure where each team owns their slice of infrastructure independently. What breaks State lock contention Terraform's state locking is per-state. When the networking team is running terraform plan , the application team's pipeline is blocked — even though they're changing completely unrelated resources. The more teams share a state, the more time everyone spends waiting. Blast radius A junior engineer deploying a new application service shouldn't be able to accidentally destroy the VPC. But if application resources and networking resources share a state, a single misconfigured terraform apply can touch anything. Code review catches some of this. Not all of it. Credential sprawl A shared pipeline needs credentials for everything — the networking team's Azure subscription, the application team's AWS account, the security team's DNS provider. Every team's secrets end up in one CI environment, accessible to anyone who can trigger a run. This fails most compliance audits. Approval bottlenecks In many organisations, one person or a small group gatekeeps all infrastructure changes. Every PR needs their review. Every apply needs their approval. The gatekeeper becomes a bottleneck not because they're slow, but because they're a single point of serialisation for all infrastructure work. Backend access as implicit access control Terraform has no built-in concept of per-team or per-workspace permissions. All workspaces in a backend share the sam

2026-07-06 原文 →
AI 资讯

Managing Terraform Across Multiple Cloud Providers

Most organisations don't live in a single cloud. You might run compute in AWS, DNS in Cloudflare, identity in Azure AD, and logging in GCP. Terraform handles each provider fine on its own, but the moment you need to coordinate across providers the tooling fights you. This guide walks through the common pain points of multi-cloud Terraform setups and the approaches teams use to cope — then shows how Snap CD makes cross-cloud dependency management a solved problem. Where it gets difficult Credential sprawl Each cloud provider has its own authentication mechanism. AWS uses IAM roles and access keys. Azure uses service principals and managed identities. GCP uses service accounts and workload identity federation. A single Terraform state that spans providers needs credentials for all of them — which means your CI runner or developer workstation holds keys to everything. That's a security problem. A compromised CI pipeline with AWS and Azure credentials exposes both clouds simultaneously. And it's an operational problem — rotating credentials means updating every pipeline that touches that state. This problem compounds at scale: Terraform couples provider processes tightly to credentials , so managing hundreds of accounts across clouds means spawning thousands of provider processes, which quickly becomes unmanageable. Provider version conflicts Terraform providers are versioned independently. Upgrading the AWS provider to fix a bug in aws_eks_cluster shouldn't require you to also test a new version of the Azure provider. But when they share a state, a terraform init -upgrade pulls new versions for everything, and a regression in one provider blocks all deployments. Terraform also lacks built-in support for instantiating multiple providers with a loop and passing providers to modules in for_each , making multi-cloud configurations especially verbose and repetitive. Blast radius across clouds A misconfigured terraform apply in a single-cloud state damages resources in one c

2026-07-06 原文 →
AI 资讯

You Can't Review an Agent. You Can Review a Plan.

A harness for AI-era Terraform. I'm building one. For a while now I've been developing a harness for infrastructure-as-code as a private SDK and compiler — the layer that sits between whoever proposes a change (a person, an agent, CI) and whatever actually reaches production. This post isn't the tool. It's the thinking underneath it, and the few pieces I've become most convinced by while building it. (Notes from inside the work — where I've landed so far, not advice.) The problem that sent me down this road is easy to state and easy to underrate. A version of it happened recently. An agent fixed some Terraform; the PR read clean — tidy diff, sensible resource names, a plan output that looked exactly like what I'd asked for. It got approved. And then, at apply time, a different plan ran than the one that was reviewed: apply had re-planned against state that moved in between, and the diff that touched production wasn't quite the diff anyone had read. Nothing broke, that time. But that near-miss is the whole reason the harness exists. Because the danger was never "the agent writes bad HCL." Agents write perfectly good HCL; I let them. The danger is the distance between the plan a human reviewed and the plan that actually runs — and once agents are the ones proposing changes at volume, that distance is the thing I most want to nail shut. Where I've landed for now (and expect to keep revising): What AI-era IaC needs isn't AI that can apply . It's a structure where every change — human or agent — is evaluated at the same boundary , and only a reviewed plan ships. The unit of trust isn't the agent. It's a specific, reviewed plan , bound byte for byte. You can't review an agent. You can only review a plan. Instructions to an agent can be broken. A CI gate can't be talked out of it. Put guidance in the prompt; put the guarantee in the gate. Terraform/OpenTofu don't go away. You wrap them in a harness; you don't replace them. Your repo has non-human authors now For years IaC

2026-07-06 原文 →
AI 资讯

Securing Your Terraform Infrastructure with Checkov and GitHub Actions

Infrastructure as Code (IaC) has revolutionized how we provision and manage cloud resources. Tools like Terraform, Pulumi, and OpenTofu allow us to define infrastructure using code, making it versionable, repeatable, and scalable. However, with great power comes great responsibility. Misconfigurations in IaC can lead to massive security breaches, such as publicly exposed data storage or overly permissive access roles. This is where Static Application Security Testing (SAST) comes in. SAST tools analyze your source code to find security vulnerabilities before the code is deployed. In this article, we'll explore how to apply SAST to a Terraform project using Checkov , a popular open-source static analysis tool for IaC, and how to automate this process using GitHub Actions. (Note: We are intentionally avoiding tfsec for this demonstration to explore other powerful alternatives). Why Checkov? Checkov, created by Bridgecrew (now part of Prisma Cloud), is a static code analysis tool for IaC. It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, Kubernetes, Dockerfile, Serverless, or ARM Templates and detects security and compliance misconfigurations. It includes hundreds of built-in policies covering security and compliance best practices for AWS, Azure, and Google Cloud. The Demo Scenario: A Vulnerable S3 Bucket Let's start by creating a simple Terraform configuration for an AWS S3 bucket. We will intentionally introduce a security misconfiguration: making the bucket public without encryption. Create a file named main.tf : # main.tf provider "aws" { region = "us-east-1" } resource "aws_s3_bucket" "my_vulnerable_bucket" { bucket = "my-company-public-data-bucket-12345" } # Misconfiguration 1: Public Read Access resource "aws_s3_bucket_acl" "example" { bucket = aws_s3_bucket . my_vulnerable_bucket . id acl = "public-read" } If we were to deploy this, anyone on the internet could read the contents of this bucket. Let's see how Checkov can

2026-07-05 原文 →
AI 资讯

The Right Way to Pair AI With Terraform Plans

terraform plan is honest about what it's going to do. The problem is it's also verbose, repetitive, and full of cosmetic changes (like recomputed tags) mixed in with real ones (like a database instance scheduled for -/+ replace ). On a 400-line plan, the dangerous changes hide. This is the kind of task AI is actually good at: skimming structured text, flagging the entries that matter, ignoring the rest. But "paste plan into Claude" is not the workflow. There's a specific shape to this that works. Why people get this wrong The natural instinct is to copy the plan output and paste it into a chat: Terraform will perform the following actions : # aws_instance.web will be updated in-place ~ resource "aws_instance" "web" { id = "i-0abc123def456" ~ instance_type = "t3.small" - > "t3.medium" ... The model will respond with a sentence about each line. You'll scroll. You'll skim. You'll miss the -/+ replace on the database because it's in the middle of 30 routine updates. This is the same failure mode as pasting a wall of logs and asking "is anything wrong?" The model is too polite to skip things. You need to tell it to. The format that actually works: JSON terraform show -json tfplan outputs a structured representation of the plan that's much easier to reason about than the text format. Two reasons: The "actions" field is explicit. Each resource_change has a change.actions array — ["create"] , ["delete"] , ["update"] , or ["delete", "create"] for replace. No ambiguity. You can filter before pasting. With jq , you can extract only the dangerous changes, drop the noise, and feed a 20-line summary into the AI instead of a 400-line plan. Try this: terraform plan -out = tfplan terraform show -json tfplan > plan.json # Get just the dangerous changes jq '[.resource_changes[] | select(.change.actions | contains(["delete"])) | {address, type, actions: .change.actions}]' plan.json That's the AI's input. Compact, unambiguous, and pre-filtered to the changes that need a human decision.

2026-07-04 原文 →
AI 资讯

Splitting a Terraform Monolith into Smaller States

If your Terraform plans are slow, your blast radius is too wide, or multiple teams are stepping on each other's changes, it's time to split your monolith. See The Problem with Large Terraform States for how to diagnose whether you've reached that point. This guide walks through the process of breaking a monolithic Terraform state into smaller, focused states — and how Snap CD can manage the dependencies between them so you don't have to. The approach 1. Identify natural boundaries Look at your resources and group them by lifecycle and ownership. Common boundaries: Networking — VPCs, subnets, route tables, NAT gateways. Changes rarely, underpins everything. DNS — Zones, records. Usually owned by a platform team. Compute — Kubernetes clusters, VM scale sets, container services. Changes more often, depends on networking. Application infrastructure — Databases, caches, queues, storage accounts. Owned by application teams. Monitoring — Dashboards, alerts, log sinks. Changes frequently, depends on everything but nothing depends on it. A useful test: if two resources would never be changed in the same PR by the same person, they probably belong in different states. 2. Map the dependencies Before you move anything, draw the dependency graph. Which groups produce values that other groups consume? networking dns │ ▲ ▼ │ compute ──────────►─┘ │ ▼ application │ ▼ monitoring The outputs that cross these boundaries are what you'll need to wire up after the split. Typical examples: Networking → Compute: vpc_id , private_subnet_ids Compute → DNS: load_balancer_ip Compute → Application: cluster_endpoint , cluster_ca_certificate Application → Monitoring: database_id , cache_name 3. Use terraform state mv to migrate resources Terraform's state mv command lets you move resources from one state to another without destroying and recreating them. # Initialize the destination state cd modules/networking terraform init # Move resources from the monolith to the new state terraform state mv \

2026-06-30 原文 →
AI 资讯

The Problem with Large Terraform States

At some point every growing Terraform project hits a wall. Plans that used to finish in seconds now take minutes. Applies feel risky because hundreds of resources share a single blast radius. Colleagues avoid running terraform plan because it hammers cloud APIs hard enough to trigger throttling. The state file itself becomes a liability — large, slow to lock, and one bad write away from corruption. This guide covers the symptoms of an oversized state, the band-aids teams reach for, and the structural fix that actually works. How Terraform state works under the hood Every terraform plan does two things: Refresh — for every resource in state, Terraform calls the provider's API to read the current real-world status. A state with 500 resources means 500+ API calls, often more when resources have nested data sources. Diff — compare the refreshed state against the desired configuration and produce a change set. The refresh phase is the bottleneck. It's sequential per provider (parallelism helps across providers, not within one), and every resource pays the cost whether you changed it or not. Adding ten resources to a 500-resource state doesn't make plans 2% slower — it makes the refresh 2% slower on every single plan, for every engineer, forever. Symptoms of a state that's too large Slow plans The most visible symptom. Plan time scales with resource count because every resource is refreshed on every plan, regardless of whether its configuration changed. The exact speed depends on provider — AWS resources with complex nested structures (IAM policies, security group rules) are slower to refresh than simple ones, and Azure resources that require multiple API calls per refresh are worse still. These aren't edge cases — users regularly report 2,900-resource states taking 20–25 minutes to plan and 1,600-resource states taking 8+ minutes . Even starting Terraform with a large state can take minutes before a single API call is made . There's a long-standing proposal for terraform

2026-06-30 原文 →
AI 资讯

OCI Database Auto Backup Window Time Slots Reference

The Database resource in Oracle Cloud Infrastructure Database service provides an optional auto_backup_window option in its API during creation ( Terraform resource: oci_database_database ). The database resource can be used in an OCI Base DB system or Exadata Cloud VM Cluster pluggable database (PDB) for example. The time window enum value selected for initiating automatic backup for the database system is available in twelve two-hour UTC time windows as the following: Slot Description SLOT_ONE 12:00AM - 2:00AM UTC SLOT_TWO 2:00AM - 4:00AM UTC SLOT_THREE 4:00AM - 6:00AM UTC SLOT_FOUR 6:00AM - 8:00AM UTC SLOT_FIVE 8:00AM - 10:00AM UTC SLOT_SIX 10:00AM - 12:00PM UTC SLOT_SEVEN 12:00PM - 2:00PM UTC SLOT_EIGHT 2:00PM - 4:00PM UTC SLOT_NINE 4:00PM - 6:00PM UTC SLOT_TEN 6:00PM - 8:00PM UTC SLOT_ELEVEN 8:00PM - 10:00PM UTC SLOT_TWELVE 10:00PM - 12:00AM UTC Timezone used for the slots is always UTC regardless of the timezone used in the database. For example, if the user selects SLOT_TWO from the enum list, the automatic backup job will start in between 2:00 AM (inclusive) to 4:00 AM (exclusive) If no option is selected, a start time between 12:00 AM to 7:00 AM in the region of the database is automatically chosen. Reference Terraform resource: oci_database_database OCI API Reference: Database DbBackupConfig Safe harbor statement The information provided on this channel/article/story is solely intended for informational purposes and cannot be used as a part of any contractual agreement. The content does not guarantee the delivery of any material, code, or functionality, and should not be the sole basis for making purchasing decisions. The postings on this site are my own and do not necessarily reflect the views or work of Oracle or Mythics, LLC. This work is licensed under a Creative Commons Attribution 4.0 International License (CC-BY 4.0) .

2026-06-30 原文 →
AI 资讯

Opentofu vs pulumi, which one survives a 200-account landing zone

IaC tools built for single-team deployments fail structurally at 200 accounts because the failure modes are architectural, not configurational. Why 200 Accounts Is Where IaC Tools Break IaC tools built for single-team deployments fail structurally at 200 accounts because the failure modes are architectural, not configurational. Scale Threshold State Management Provider Auth Overhead Execution Time Impact ~10 accounts One backend bucket, one workspace; quirks are routable Not a meaningful bottleneck Sequential plan/apply is manageable ~50 accounts Sequential execution still viable; blast radius contained Per-account latency exists but tolerable Below threshold where parallelism is required 200+ accounts 200 separate plan operations per shared-module refactor 3-sec per-account auth × 200 = 10 min added per plan cycle Sequential Terraform applies measured at 4.1 hours end-to-end A 10-account environment forgives sloppy state management. One backend bucket, one workspace convention, one pipeline. Engineers learn the tool's quirks and route around them. At 200 accounts, those same quirks compound. Why the threshold is 200 State lock contention, cross-account provider authentication chains, and module resolution latency stack on top of each other. The result is not slower deploys. It is non-deterministic deploys, which is operationally worse. The specific threshold matters. Below roughly 50 accounts, most teams run plan and apply sequentially without parallelism because the blast radius of a runaway apply is contained. Above 200 accounts, sequential execution becomes untenable. We measured a 200-account org where sequential Terraform applies across all accounts took 4.1 hours end-to-end. That latency made emergency remediation impossible inside a standard incident window. Three compounding failure modes State file proliferation. Each account carries its own state file, and each state file is a consistency boundary. At 200 accounts, a single refactor touching a shared modu

2026-06-17 原文 →
AI 资讯

I built a Terraform security scanner that lives inside GitHub PRs

The problem IAM wildcards and public S3 buckets keep slipping through Terraform code review. Tools like Checkov and tfsec exist but they live in CI, require config files, and developers ignore the output because it's not where they're working. What I built TerraWatch is a GitHub App that scans every pull request that touches .tf files automatically. If it finds a security issue it blocks the merge and posts the exact code fix as a PR comment. The developer sees something like this in their PR: ⚠️ PUBLIC_S3_BUCKET - main.tf (Line 6) Severity: HIGH Risk: S3 bucket allows public read access. Fix: acl = "public-read" acl = "private" block_public_acls = true restrict_public_buckets = true They copy the fix, push, and the merge unblocks automatically. How it's different No YAML, no CI config - installs in 2 minutes via GitHub App Fixes are hardcoded diffs, not AI generated Nothing auto-applied - you review every fix No Checkov dependency - own lightweight rules engine Only reads changed .tf files in the PR, never your full codebase 29 rules covering S3 public access, IAM wildcards, open ports (SSH/RDP/MySQL/Postgres), unencrypted EBS/RDS, public databases, hardcoded secrets, EKS public endpoints, CloudTrail disabled, IMDSv1, and more. Try it Free during beta - terrawatch.dev Also launching on Product Hunt today if you want to show some support!

2026-06-16 原文 →
AI 资讯

I'm 62 and I built a self-hosted AWS drift detector because I was tired of spreadsheets

I came to programming late — I didn't get into this world until I was past 35, and I'm 62 now, still writing code every day. This is a "build in public" post about a tool I just finished, and I'd genuinely love your feedback. The itch For years I watched infrastructure teams keep their AWS inventory in spreadsheets. It always worked — right up until it didn't. Nobody had time to keep it current, and every single one eventually drifted away from reality. Middleware EOL was the same story: a hand-maintained list, no alerts, no dashboard, quietly going stale. One day I asked the obvious question: we have tfstate, we have boto3 — why are we still doing this by hand? What I built SyncVey is a self-hosted web app that: Inventories your AWS resources into a System → Environment → Asset ledger (EC2, ECS, Lambda, RDS, S3, ALB, VPC, EBS), scanned live via boto3/AssumeRole Detects attribute-level drift between your tfstate and live AWS — including resources someone built by hand in the console that terraform plan never sees Tracks the app/middleware layer per environment and flags end-of-life runtimes The drift piece is the part I care about most. terraform plan only knows about resources Terraform already manages. The thing that actually bites teams is the resource someone spun up by hand in the console — plan is blind to it. SyncVey diffs your tfstate against the live AWS state, so those show up too. The stack (and why) Django + htmx + Postgres — server-rendered, no SPA, no Node build step MIT-licensed, no SaaS, no telemetry One docker compose up and your data stays inside your own infrastructure git clone https://github.com/MR-TABATA/SyncVey cd SyncVey docker compose up I deliberately leaned on htmx because, for a tool someone has to deploy and maintain themselves, "no frontend toolchain" matters more than a fancy client. I'd love your honest take It's AWS-only for now and very much a solo project, so I'm sure there are rough edges. I'm not an AWS specialist — I deliberatel

2026-06-09 原文 →
AI 资讯

Terraform vs CDK vs Pulumi: Choosing Your Infrastructure-as-Code Tool

The IaC landscape split into two philosophies about a decade ago and hasn't fully resolved the argument since. On one side: declarative configuration languages designed specifically for infrastructure (Terraform HCL, CloudFormation YAML, Bicep). On the other: general-purpose programming languages brought to infrastructure (AWS CDK, Pulumi). Both approaches have won in production at major organizations. Neither is clearly superior. This comparison covers Terraform, AWS CDK, and Pulumi in depth — how they work, where they excel, where they struggle, and which makes sense for different team situations. It isn't a beginner introduction to any of these tools; if you're choosing between them for a real project, this assumes you've at least skimmed each one. The core philosophical difference Terraform's HCL is a purpose-built configuration language. It's not Turing-complete (no arbitrary loops, no recursion, limited conditionals). This is by design: HashiCorp's position is that infrastructure definitions should be readable, predictable, and safe to generate tooling around. When you read a .tf file, you can understand what it creates without executing anything. CDK and Pulumi take the opposite position: the limitations of configuration languages are a tax on productive engineers. Why invent a domain-specific language when TypeScript already exists? Real programming languages have proper abstractions, test frameworks, package managers, IDE support, and a billion engineers who already know them. Infrastructure should be no different from application code. Both positions have merit. The choice between them often comes down to who's writing the infrastructure more than which approach is technically superior. Terraform Terraform is the default choice for infrastructure-as-code in 2026. It works with every major cloud provider and hundreds of minor ones. The Terraform Registry has thousands of modules — reusable packages for common patterns like VPCs, EKS clusters, and RDS databa

2026-06-07 原文 →
AI 资讯

Production DevSecOps Pipeline — The Complete Day-2 Operations Runbook

DevSecOps Pipeline — Completion Runbook All code is written and pushed to GitHub. This runbook covers the remaining operational steps: Terraform applies, GitOps ARN updates, and ArgoCD deployment. Prerequisites Install these tools if not already present: # AWS CLI v2 winget install Amazon.AWSCLI # Terraform 1.6+ winget install HashiCorp.Terraform # Terragrunt # Download from https://github.com/gruntwork-io/terragrunt/releases # Place in C:\Windows\System32\ or add to PATH # kubectl winget install Kubernetes.kubectl # ArgoCD CLI winget install argoproj.argocd AWS Profile Setup The root terragrunt.hcl uses profiles named myapp-{env}-{region_alias} . Configure them in ~/.aws/config : [profile myapp-production-use1] region = us-east-1 role_arn = arn:aws:iam::591120834781:role/AdministratorAccess source_profile = default [profile myapp-production-usw2] region = us-west-2 role_arn = arn:aws:iam::591120834781:role/AdministratorAccess source_profile = default [profile myapp-staging-use1] region = us-east-1 role_arn = arn:aws:iam::690687753178:role/AdministratorAccess source_profile = default [profile myapp-staging-usw2] region = us-west-2 role_arn = arn:aws:iam::690687753178:role/AdministratorAccess source_profile = default [profile myapp-dev-use1] region = us-east-1 role_arn = arn:aws:iam::557702566877:role/AdministratorAccess source_profile = default [profile myapp-dev-usw2] region = us-west-2 role_arn = arn:aws:iam::557702566877:role/AdministratorAccess source_profile = default PHASE 1 — Terraform Applies Work from the myapp-infra/ directory. Run in the order shown — capture outputs for updating GitOps files in Phase 2. 1.1 WAF (production + staging) # Production us-east-1 terragrunt apply --terragrunt-working-dir live/production/us-east-1/waf # Output → webacl_arn (copy this value) # Production us-west-2 terragrunt apply --terragrunt-working-dir live/production/us-west-2/waf # Output → webacl_arn (copy this value) # Staging (no GitOps ARN needed, but good to have) terra

2026-05-29 原文 →