Back in the day in a IT company long ago, where the BOFHs roamed and the ITIL was strong. We used to keep long lists of CIs that used to enviably and hopelessly out of date. Because we either didnt care, know or bother keeping up to date. That was totally fine in a relatively static environment the IT company of long ago. We would have our yearly inventory day and forget about it again.
Of course we all use some form of infrastructure as code right now. Some of us might go as far that "if it isn't in code it doesnt exist", but can we truly say that whatever is in the OpenTofu state really is the only thing running? What about that recurring 1$ in that dormant AWS account, where is that coming from? How about the playground projects the CEO likes to play around with in his sparetime? or that one time the opentofu destroy didnt exit cleanly and some resources weren't cleaned during that timeout, did we really manually cleanup all resources?
11. Confidential and Proprietary
Count the # resources in your state file/code
terraform show -json | jq -r '.values[].resources[]
grep -nr "resource "google_compute_instance""
20. Confidential and Proprietary
Compare your single source truth vs vendor
billing
SKUs applied === SKUs paid for
cloud regions defined in .tf files === regions with
resources
23. Confidential and Proprietary
Vendors as a SQL Schema
SELECT
*
FROM
aws_elbv2_load_balancers
WHERE
scheme = 'internet-facing';
https://www.cloudquery.io/
26. Confidential and Proprietary
Lock Vendor Regions Down
data "aws_iam_policy_document" "eu-central-1-only" {
statement {
actions = [
"ec2:RunInstances",
]
….
condition {
test = "StringEquals"
variable = "aws:RequestedRegion"
values = [
"eu-central-1",
]
}
}
}
27. Confidential and Proprietary
Lock Vendor Regions Down
resource "aws_organizations_policy" "eu-central-1-only" {
name = "eu-central-1-only"
content = data.aws_iam_policy_document.eu-central-1-only.json
}