I manage around 15 AWS accounts, and I often stumble upon random RDS instances and S3 buckets that aren't integrated into our Terraform state. It feels like I'm playing a never-ending game of whack-a-mole trying to figure out which resources are managed and which ones are not. I'm hesitant to revoke console access for everyone, as that would cause a lot of unrest. I've been considering using ControlMonkey.io for cloud inventory scanning to assess our Infrastructure as Code (IaC) coverage. Are there better methods out there, or do I have to rely on a specialized tool to keep everything under control?
10 Answers
A lot of these suggestions sound like ads for products. Just keep an eye out to avoid falling for marketing pitches disguised as advice!
This seems like an ongoing issue in larger organizations; there's often a lot of tangled permissions and shadow IT to manage effectively!
Regularly wipe any resources not tracked in your IaC. Doing this every couple of weeks can help manage drift effectively. It's a bit harsh, but it ensures that only compliant resources remain.
Absolutely! A routine clean-up is essential, especially for non-production environments.
I like to tag every resource created through Terraform with an ownership tag. This way, you can track down anything that isn't tagged with the IaC. Just be aware that if people are creating resources manually, they might add those tags, complicating the issue.
True, they could just add tags themselves, which makes things tricky. It's really about limiting their ability to create these resources if they aren't following the process.
One straightforward solution is to revoke write access to the console. This can help prevent new unmanaged resources from popping up unexpectedly. If you can, consider making access read-only for those who don’t need to make changes.
Or at least, restrict console access to read-only for everyone. This should help minimize issues.
If you're looking for specialized tools, consider awsight.com. It helps monitor configuration drift and shadow IT, which can be handy in your scenario.
Using tags is a good practice. I haven't encountered anyone trying to tag unmanaged resources as IaC-managed here. If they did, they'd certainly face serious consequences! You've inspired me to work on a better tracking tool, though.
You might also consider using something like Cloud Custodian, which can automatically set a creator tag for every new resource as it gets created. It can help maintain control over what's being deployed.
For tracking user activities, you can check CloudTrail logs; they can show you if actions were performed via the console. If someone in your environment is making changes they shouldn't, you can easily identify them and address the issue. You might even want to call them out in Slack to make it more visible!
Honestly, why are developers allowed to make such changes in the first place? If you limit IAM permissions, you remove a lot of these issues right at the source.
Right? It's frustrating when it feels like everyone is just trying to peddle something. I question the authenticity of some suggestions.