read

Develop and Augment your Team with the Right Technology

By Gray Knowlton

SREs recognize the importance of efficiency. Cloud operations talent is in short supply, and those occupying those roles are frequently over-tasked, under-tooled, and suffer under the weight of tremendous expectations. SREs lament chatty, alert-saturated products that drag users through screen after screen.  Over and over, our users ask for something very simple. “Show me what to fix.” 

OpsCompass solves that problem by showing you exactly what to fix – everything from configuration and compliance problems to configuration drift.  Our platform queries your existing cloud inventory, regardless of what put it there, or what was intended when it was deployed. Keeping focused on actionable changes helps SREs get more done. Taking bureaucratic rules and policies and divining change lists is not easy without OpsCompass. Our experience is designed to focus you on the things that help your environment the most.  

Inventory is the Truth

CI/CD solutions offer great convenience in creating repeatable deployments for cloud workloads. Rapidly advancing operations management tools help author and manage template source code. The resulting footprint in the cloud is much larger, more expansive than the template specified, because public cloud providers “help” by adding the resources that are required but not specified. Especially in organizations where multiple teams share subscriptions, resource spam is a problem in cloud management, and it is one that CI/CD cannot solve on its own. 

Graphical user interface, table

Description automatically generated with medium confidence

Inventory is the truth of your cloud. Templates, recommendations, advisors, and similar abstractions attempt to focus attention on the important things. As SREs know, when it comes to security, cost, contracts, compliance frameworks, everything is important. What needs attention are the resources that fail an expectation, and those could be anywhere.  

OpsCompass helps you see what is in your cloud. Many organizations host workloads in multiple public clouds, so our view is especially helpful when resources are deployed to many places.  

Graphical user interface, application, table

Description automatically generated

 

Our inventory view can help you gain insight across a large resource group quickly. For example, if an organization wants to review all its storage resources across multiple clouds, OpsCompass can provide this view instantly (sensitive details are obfuscated).

  

Graphical user interface, text, application, email

Description automatically generated

This is where the inspection begins. Once a specific set of resources is isolated it can be meaningfully analyzed. This might be by resource type, region, account, or other criteria. In this case, we can see that a handful of conresources  have “problems,” or violate the rules we have defined for our projects. 

This view allows us to drill into the problem. In this case, the encryption key for the storage object is provided by GCP, and not by a user. According to security convention and many cybersecurity compliance frameworks, this is an issue that should be avoided. For multi-tenant hosting, this is especially important. This is one of the most common compliance violations we see in storage accounts. 

 

Graphical user interface, text, application, email

Description automatically generated

In addition to understanding the problem, reviewing the recommended action, OpsCompass can show you the entire history of this rule for this resource. You can see here that this resource has changed over time, and different actions have been taken to address the problem.  

Graphical user interface, text, application, email

Description automatically generated

For every resource discovered in inventory, the change history is available for your inspection. Each change is made clear and is separately viewable, down to the JSON configuration.  Each JSON representation of a resource’s history is available for display. This is especially helpful when reviewing changes to resources.  

 

SREs Know That Drift Happens 

SREs know full well that regardless of how they are deployed, public cloud resources change frequently. Changes are driving by users or tools trying to fix things, or by the cloud providers themselves. This problem is known widely as drift.  

AWS’s recent deprecation of AWS Elastic Beanstalk Managed Policies provide an excellent example of how a change by a cloud provider creates drift. From AWS:  

“We have detected that at least one user, group, or role in your account is currently employing the AWSElasticBeanstalkService managed policy. This policy is scheduled for deprecation and will no longer be available for attachment to new IAM users, groups, or roles after April 15, 2021.” 

Cases like this happen all the time. AWS, Azure and GCP are constantly evolving and improving. If resources happen to be in the crosshairs of a deprecation and nobody is watching, you can bet drift, or other problems, will arise. The voluminous change rate for the three major public cloud providers makes it difficult to keep up with everything that is in motion.  

OpsCompass detects and manages drift for deployed resources. Drift management in OpsCompass is as straightforward as reviewing a list of problems for a resource. Drifts are presented in a simple interface that directs users to a specific change, in the context of an entire history of changes.  

OpsCompass Drift views are helpful in working through general system maintenance as well as forensics/troubleshooting. The drift view shows all changes that violate user-defined concerns. In the example above, I have created a concern which tells OpsCompass to “create a drift alert when a public IP address is added or changed on a resource.  

Table

Description automatically generated

Graphical user interface, application

Description automatically generated

Drilling into this specific resource, the change becomes clear. 

In this view we can see the entire drift history for this specific resource. This includes previously acknowledged drift as well as the newly detected drift. This is helpful for understanding context and detecting patterns. Like the inventory view, the JSON resource description highlighting the specific changes is available as well. 

These types of drifts and drift concerns are available on many resource types hosted in public cloud accounts. These insights are tremendously helpful to SREs that need to find and fix issues in their configuration. Whether these resource deployments were originally template driven or manually applied, OpsCompass makes it easy to find the cause and the problem. This is a very precise way of identifying, addressing, or acknowledging unplanned changes for your cloud resources.  

With OpsCompass SREs can cut through the noise, simplify problem lists, identify and isolate problems and know exactly what to fix.  

 

 

Tags: Resources, OpsCompass, Cloud Strategy, Compliance Drift