Panoptes: restoring rogue resources in an Infrastructure as Code multi-cloud environment
Managing system architectures has historically been a time-consuming and error-prone process. DevOps, a set of practices aimed at improving deployment speed and quality, addresses these challenges by promoting automation and consistency. A core practice within DevOps is Infrastructure as Code (IaC), in which infrastructure is described in code and systems are automatically configured based on these definitions. This contrasts with traditional methods, in which administrators configure systems manually and interactively.
Infrastructure as Code in cloud and multi-cloud environments
IaC is ideally suited to cloud computing, because cloud services make it possible to allocate system resources on demand and provision them automatically using IaC. When adopting cloud computing, organizations can choose a single cloud provider or multiple providers at the same time, which is referred to as a multi-cloud environment. Multi-cloud strategies help prevent vendor lock-in and reduce dependence on a single provider. At the same time, managing multiple vendors adds complexity, including differences in products and APIs, which can make interoperability difficult.
The challenge of configuration drift and rogue resources
Despite the advantages of IaC, this approach also introduces challenges, including configuration drift, often described as "undocumented configuration changes in a running system." This research focuses specifically on detecting and repairing rogue resources: resources that fall outside the "state" managed by IaC, but do affect resources within that state. Here, "state" refers to the collection of resources managed by IaC. Rogue resources can disrupt the functioning of IaC, for example, by causing deployments to fail when they depend on infrastructure created outside of IaC. In addition, they pose a security risk because their existence outside of the IaC documentation makes them difficult to monitor and control. Addressing these rogue resources is essential to return the system to a known, manageable state and ensure integrity.
Research scope and implementation
This research investigated methods for detecting and recovering rogue resources in multi-cloud environments. Based on the research results, a tool was designed and developed to address these challenges in a practical way. To ensure feasibility within the available time frame, the scope was deliberately limited. AWS and Hetzner Cloud were chosen as focus platforms because of their accessibility and the combination of a large cloud provider with a smaller provider. Terraform was selected as the IaC tool due to its widespread adoption and popularity. In addition, the research focuses specifically on compute resources, which allows for a more in-depth analysis of rogue resource management.
Contributions and results
By investigating these challenges and implementing concrete solutions, this research contributes to better management of multi-cloud environments and to increasing the reliability of systems that use IaC. The findings provide in-depth insight into how rogue resources can be effectively addressed, ensuring that systems remain secure, controllable, and operational.
