cloud-concierge is a container that integrates with your existing Terraform management set up. All results and codified resources are output via a digestible Pull Request to a repository of your choice, providing you with a "State of Cloud" report in a GitOps manner. It provides:
-
✅ Cloud codification, identify un-managed resources and generate corresponding Terraform code and import statements/import blocks
-
✅ Drift detection
-
✅ Flag accounts creating changes outside your Terraform workflow
-
✅ Whole-cloud cost estimation, powered by Infracost
-
✅ Whole-cloud security scanning, powered by tfsec (checkov integration coming soon)
cloud-concierge.sizzle.mp4
- Obtain an API token at https://app.dragondrop.cloud. For open source executions, we only collect data on when a cloud-concierge starts up (see the Telemetry section below).
- Add the cloud-concierge GitHub App to the repository into which generated Pull Requests should be output.
- Configure an environment variable file (use one of our templates to get started) to control the specifics of cloud-concierge's coverage.
- Run
docker pull dragondropcloud/cloud-concierge:latestto pull the latest image.
I) Run aws configure on your CLI and ensure that credentials with read-only access to your cloud are configured. If referencing state files stored in an s3 bucket, the credentials specified should be able to read those state files as well.
II) Run the cloud-concierge container using the following command:
docker run --env-file ./my-env-file.env -v main:/main -v ~/.aws:/main/credentials/aws:ro -w /main dragondropcloud/cloud-concierge:latest
If running on Windows, the substitute $HOME/.aws: for ~/.aws: in the above command.
III) Check the Pull Request that has been created by cloud-concierge (example output).
See more here.
- cloud-concierge creates a representation of your cloud infrastructure as Terraform. Only read-only access should be given to cloud-concierge.
- This representation is compared against your state files to detect drift, and identify resources outside of Terraform control
- Static security scans and cost estimation is performed on the Terraform representation
- Results and code are summarized in a Pull Request within the repository of your choice
For OSS usage, Cloud Concierge only logs data to the dragondrop API whenever a container execution is started. This method can be viewed here.
Jobs managed by the dragondrop platform log statuses over the course of the job execution and anonymized data for cloud visualizations to the dragondrop API. These methods can be viewed here and here.
Contributions in any form are highly encouraged. Check out our contributing guide to get started.
The cloud-concierge container is easy to manage in a single configuration. If you are looking to use cloud-concierge at scale, however, the dragondrop.cloud management platform allows you to:
- Manage multiple cloud-concierge configurations through a user interface
- Manage different cron jobs for executing each configuration at desired intervals
- Consolidate multiple cloud-concierge executions into anonymized visualizations of drift, uncodified resources, cloud costs, and security risks.
- Continue to self-host cloud-concierge instances within your cloud using serverless infrastructure.