Tạo module Terraform tùy chỉnh để triển khai EKS: tái sử dụng mã, đơn giản hóa cấu hình & đảm bảo nhất quán across môi trường. Bao gồm VPC, IAM, EKS, Secrets Manager. Module giúp trừu tượng hóa độ phức tạp, giảm lỗi & tăng hiệu quả. Dùng output để truyền giá trị giữa các module, dependencies thông qua tham chiếu outputs.
#Terraform #EKS #Kubernetes #DevOps #IaC #Module #AWS #TerraformModule #InfrastructureAsCode #DevOpsVietnam #KubernetesVietnam #AWSVietnam
Salut les experts DevSecOps et Cyber !
🚨 Checkov : Le couteau suisse DevSecOps pour scanner vos IaC avant le déploiement !
On parle souvent de "shift-left" et d'intégrer la sécurité le plus tôt possible, mais concrètement, comment faire ça de manière efficace sans casser le workflow de dev ? Checkov mérite qu'on parle de lui sérieusement pour qui veut sécuriser son infra code dès la conception.
Checkov, ce n'est pas juste un scanner d'IaC, il fait aussi de l'analyse de composition logicielle (SCA) pour les images conteneurs et les packages open source. Ça veut dire qu'on a une vision assez complète, des vulnérabilités aux mauvaises configurations, tout ça avant même que le code ne touche l'environnement.
👉 Il couvre un spectre large de formats :
* Terraform
* CloudFormation
* Kubernetes
* Helm
* Kustomize
* Dockerfile
* Serverless Framework
* Bicep, OpenAPI, ARM Templates... la liste est longue.
Autant dire que peu importe votre stack IaC, il y a de fortes chances que Checkov s'y intègre sans souci. L'idée, c'est de choper les problèmes là où ils coûtent le moins cher à corriger : au moment où le dev écrit son code. Fini les surprises en prod !
Un point crucial qui revient souvent sur la table, c'est la détection des secrets. Checkov est là-dessus aussi, il sait repérer les identifiants et autres secrets qui traînent dans les configurations. On sait tous à quel point un secret exposé peut être dévastateur. C'est une couche de protection essentielle.
Enfin, et c'est souvent ce qui fait la différence avec ce genre d'outils : la personnalisation. On peut adapter les politiques de sécurité à nos besoins spécifiques, et surtout, gérer la suppression des faux positifs. Parce qu'une alerte trop bruyante, c'est une alerte ignorée. Avoir la main là-dessus est vital pour maintenir un outil utilisable et pertinent pour les équipes.
Pour creuser le sujet, le repo github: https://github.com/bridgecrewio/checkov
Pour une stratégie plus complète sur la supply chain, Checkov doit être complété par d'autres outils de SCA & SBOM: Trivy, Syft, Dependency-Track, etc. pour la visibilité sur les dépendances
Il y a d'autres outils de devSecOps, et Stephane ROBERT les courent dans sa doc:
* SAST: https://blog.stephane-robert.info/docs/securiser/analyser-code/sast/
* DAST: https://blog.stephane-robert.info/docs/securiser/analyser-code/dast/
* SCA: https://blog.stephane-robert.info/docs/securiser/analyser-code/sca/
* Sécurité des containers : https://blog.stephane-robert.info/docs/securiser/conteneurs/
Avez-vous déjà testé Checkov dans votre pipeline CI/CD? Partagez votre expérience! Quels sont vos critères pour choisir un outil d'analyse statique comme Checkov ?
#CyberSecurite #DevSecOps #CloudSecurity #Kubernetes #DockerSecurity #SCA #IaC #StaticCodeAnalysis #CloudNativeSecurity
🚀 DNSimple Terraform Adapter 2.0 is here!
We're thrilled to announce the release of DNSimple Terraform Adapter 2.0, packed with documentation updates, upgraded dependencies and new helpful validations. ⚠️ It requires Terraform 1.12+ for full compatibility.
Check out the latest docs 👉 https://registry.terraform.io/providers/dnsimple/dnsimple/latest/docs
if you have any questions about DNSimple Terraform Adapter 2.0, get in touch, we'd love to help.
Happy automating!
PDK 3.6.0 is Now Available! Validate against Puppet or OpenVox and get loads of security patches in this release!
🔐 CVEs addressed via upgrades to Curl, OpenSSL, net-imap, and removing libxslt and nokogiri
👩💻 Other changes:
💠 Thank you to user cocker-cc for adding support to the pdk validate command to accept either openvox or puppet!
💠 License Update to latest Puppet Core license
💠 Dependency changes with Bolt and Rubocop
🧐Check release notes:
https://help.puppet.com/pdk/current/topics/release_notes_pdk.htm#PDK360
OpenTofu v1.11 is out and now supports ephemeral resources and write-only attributes 🎉
I registered my provider in the OpenTofu registry: https://search.opentofu.org/provider/x-cli/remotefs/latest
Enjoy ♥️
Ngày 16/30: Thực hành tạo hàng loạt 26 IAM User từ file CSV bằng Terraform, tự động gán nhóm (Education, Engineers, Managers) dựa trên thuộc tính, bật login console với mật khẩu tạm và yêu cầu đổi. Sử dụng backend S3 lưu state, áp dụng for_each, csvdecode() và conditional filtering. Tiết kiệm thời gian, tăng bảo mật và quản lý quyền truy cập IaC. #AWS #Terraform #IAM #DevOps #Cloud #QuảnTrị #IaC #AWSIAM
https://dev.to/anil_kumar_noolu/day-1630-mastering-aws-iam-user-management-with-terraform-24
Как я подружил WSL, VirtualBox и Ansible, чтобы быстро создавать VM Alpine на Windows
Хочешь быстро поднять несколько лёгких Linux-виртуалок из Windows, да так, чтобы процесс можно было легко повторить? Я, как любитель и самоучка, недавно решил с этим разобраться и всё получилось. Я сделал это так, на Windows через WSL установил Alpine сборки minirootfs, затем при помощи Ansible развернул в Oracle VM VirtualBox 3 виртуальные машины на базе Alpine сборки standard. Никаких облаков, только локальный контроль и минимум зависимостей. Для чего всё это? Сейчас всё чаще говорят о минималистичных системах, об оптимизации железа под конкретные задачи, о работе на граничных устройствах, вот и захотелось попробовать всё своими руками.
https://habr.com/ru/articles/974226/
#IaC #Ansible #linux #wsl #virtualbox #windows #alpinelinux #minirootfs #vm
Managing files over #WebDAV with Terraform
https://broken-by-design.fr/posts/remotefs/
In this blog post, I document the development of a #Terraform provider allowing practitioners to manage files over WebDAV.
This provider uses write-only attributes to handle sensitive content, which increases dramatically the complexity of this provider under the hood. The blog post explains why. There are takeaways and controls to add to your checklist if you are a security auditor.
Препарируем VK Private Cloud: подробнейшие детали из первых уст
Привет, Хабр! У платформы VK Cloud есть продукт, который позволяет компаниям частично или полностью перенести свою инфраструктуру не в публичное, а в частное облако. То есть хранить все в своем ЦОД и под личным контролем — но пользоваться при этом интерфейсом и инструментами, разработанными VK Tech. В этой статье расскажем, как работает платформа VK Private Cloud и чем на самом деле она отличается от публичного облака. Будет много технических примеров, деталей и конфигураций и минимум общих описаний — только для уточнения нюансов. А также подробности о новой версии 4.3.
https://habr.com/ru/companies/vktech/articles/972816/
#vk_cloud #private_cloud #частное_облако #IaC #виртуализация #vk_tech #приватное_облако
Terraformで作業がちょっと楽になる小技(compact / for_each / ignore_changes)
https://qiita.com/y-otake/items/1a8f2dfa94317edc2b4d?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items
#qiita #IaC #Terraform #Hashicorp #Infrastructure_as_code #GoogleCloud
Why is it spelled "Yak Shaving" and not "IaC Shaving"?
#Kubernetes #K8s #YakShaving #IACShaving #IaC #InfrastructureAsCode
I also discovered that #debian do not build #libvirt #vagrant box anymore so there is no debian13 available :(
Of course I still can build one by hand, or use #packer or one of those two projects which wraps it: https://github.com/chef/bento or https://github.com/boxcutter/kvm (if I absolutely need to use vagrant)
#sysadmin #infrastructureascode #iac #configurationmanagement
Therefore it's time to evaluate #lima https://lima-vm.io/ which seems to be a direct #vagrant alternative and I found a #molecule driver https://github.com/filatof/molecule-lima.
#sysadmin #infrastructureascode #iac #configurationmanagement
What I had forgotten is that I need the integration with #ansible #molecule but there is no driver available. Of course I could test my ansible code in a completely different way but staying with the standard molecule tool is IMO better.
#pulumi is still quite interesting as an alternative to #terraform or #opentofu and their (awful?) HCL language, I'll look at it further later
#sysadmin #infrastructureascode #iac #configurationmanagement
Billions in profit. Can't calculate a rough estimate or even display a progress bar. Thanks Amazon!
Explore the entire IT architecture of Infinito.Nexus interactively with the Meta Infinite Graph! 🌐✨
Click the play button to dynamically resolve all Ansible and Docker dependencies — fully visual, fully explorable. 🚀🧩
Try it out: https://s.infinito.nexus/mig
#InfinitoNexus #MetaInfiniteGraph #Ansible #Docker #DevOps #Automation #OpenSource #InfrastructureAsCode #IaC #Architecture #Sysadmin #Linux #Engineering #Cloud #Developers #TechCommunity
El CUT trae a Zaragoza el testimonio de la represión contra la Flotilla Global Sumud
Managing domains and DNS at scale? Discover how DNSimple uses Terraform to bring the entire domain lifecycle into Infrastructure as Code. Read our latest blog for insights and practical tips, then experience the difference yourself.
👉 https://blog.dnsimple.com/2025/11/managing-domains-terraform-dnsimple/
#IaC #Terraform #DevOps
