Hello all!
Welcome to the next issue of the Tidy Cloud AWS bulletin! In this issue, I will focus a bit on some tools from Common Fate, AWS Skill Builder training and CDK for Terraform.
Enjoy!
IAM Zero, IAM Power Editor and Granted Approvals
Setting up least-privilege access can be a pain in AWS. Most times, you end up just using too wide permissions and a note to self “to fix it later” - which probably will not happen.
Nowadays, AWS provides the IAM Access Analyzer, which is certainly a step in the right direction.
The folks at Common Fate thinks the feedback loop using that is not good enough, so have developed a set of tools and libraries to improve the developer experience here.
IAM Zero is an open source project in early stages that intends to provide a much faster feedback loop on setting up and defining IAM policies during development, with context-aware suggestions and warnings for too wide or inappropriate permissions.
Currently, there is support for Python development and some AWS resources, with more to come on the roadmap. Infrastructure as code tools such as Terraform and AWS CDK is also on the roadmap.
Common Fate also has a web editor for IAM policies based on IAM Zero, called IAM Power Editor, which you also can read about in the blog post here It also uses an IAM policy linting library called Parliament. It allows for some basic IAM policy construction right now.
Recently, Common Fate also announced an open source permission management framework called Granted Approvals. It is a framework for simplifying managing temporary elevated permissions to users with a web-based user interface. You host it in your own AWS accounts, and it can integrate with AWS SSO (or rather AWS IAM Identity Center after the name change).
I am a happy user of their tool Granted for AWS access, both AWS Console and scripted/command -line, so I am looking forward to explore some of these other tools more. I wrote a bit about Granted in issue 20 of the bulletin as well.
AWS Skill Builder
There are plenty of educational resources for improving your AWS skills, some free and some paid for. AWS themselves are trying to improve their position in this space through the AWS Skill Builder. It includes several free digital training courses and also part of a gamified learning experience, AWS Cloud Quest.
For several more courses and the labs you need a subscription though, with prices similar to some other educational subscription services.
It seems to be a rebranding of some of the earlier training material AWS produced. The more recent courses I have tried were good. I have not tried the subscription-only material yet. I am interested in trying out the jams they have at some point. These are tasks that are not step-by-step guided as many labs. Instead, you have an aim to complete and you may get some hints along the way, but not much more. This sounds interesting and fun, so will probably try these at some point.
CDK for Terraform
Hashicorp recently announced that Cloud Development Kit for Terraform, also known as CDKTF, is now generally available. This means that Hashicorp considers CDKTF to be stable enough for production usage.
I think this is great news! CDKTF (0.12) supports Typescript, Python, Go, Java and C# as languages to define your infrastructure as code.
Similar to AWS CDK, it supports the concept of a CDKTF application, which comprises multiple stacks, which maps to Terraform states. This means that a use case for CDKTF also includes features that people may have used tools like Terragrunt for.
CDKTF also includes the convert command to take existing Terraform HCL and generate the corresponding CDKTF code in your language of choice. This can facilitate the transition to use CDKTF instead of just plain Terraform HCL.
CDKTF also has some support for using constructs from AWS CDK, in the AWS Adapter. This is still in technical preview though, and not production ready at this point. It is like Pulumi’s AWS CDK support since it relies on the AWS Cloud Control APIs. AWS CDK is a great resource for higher-level infrastructure as code components, and it is nice to see both Terraform and Pulumi working to take advantage of this.
CDKTF supports using modules written in HCL, and technically it is possible to create CDKTF-based modules and consume it from HCL (hybrid constructs), although it is not yet a nice packaging of this functionality. In issue 23 of this bulletin, I noted that there was a presentation on CDK Day 2022 about hybrid constructs. Check that out if you are interested!
You can find the contents of this bulletin and older ones, and more at Cloudgnosis.org. You will also find other useful articles around AWS automation and infrastructure-as-software.
Until next time,
/Erik