Firefly, the cloud asset management solution, scans the entire cloud footprint and Kubernetes cluster and codifies everything to IaC. Firefly recently launched its first open source tool ValidIaC, which helps to validate best practices for Infrastructures as Code (IaC).
“We built this open source tool because Terraform is challenging. I guess that you heard about the Shift Left approach. It means that instead of creating resources in the cloud, we use IaC to deploy them. And before the Shift Left approach, the only way to detect security issues or cost problems was only by using third-party tools, such as a CSPM (Cloud Security Posture Management) or CloudHealth,” says Sefi Genis, CTO and Co-Founder at Firefly, on the latest episode of TFiR Let’s Talk.
Key highlights from this video interview are:
- Firefly’s technology helps DevOps teams detect drifts between the cloud and IaC, providing classification and insights over the cloud for security, cost, and SRE purposes. Genis discusses why having tools to help validate best practices for IaC is so important. He discusses the open source tools in ValidIaC and how they help with best practices.
- Terraform can be challenging to work with but Genis explains how having open source tools to help detect everything before actually deploying them can help to overcome the challenges of working with Terraform.
- Firefly is passionate about open source and one of the motivations of building ValidIaC was because the available open source IaC tools were difficult to navigate. Genis explains the inspirations behind building ValidIaC.
- Genis explains how ValidIaC improves developers’ lives, helping them deep dive into the open source tools and understand the configuration. He gives examples of what the open source tools do and how they can be helpful to developers.
- Genis explains how ValidIaC is used internally within Firefly to codify resources from the cloud to Terraform. He explains how ValidIaC ensures your Terraform configuration is set with best practices for security and cost.
- IaC is the only way to manage the cloud today, which together with using immutability helps developers create a group of resources and deploy those environments. Genis explains why it is so critical for developers and DevOps teams to understand IaC and its tools.
- Genis discusses other challenges that developers who are embracing IaC are facing and how Firefly is working to solve these challenges.
About Sefi Genis: With years of experience and software development, cloud computing, and Infrastructure-as-Code, he has earned a reputation as a cloud expert and an avid admin of cloud security and architecture. Prior to Firefly, Sefi was Head of Engineering at Cynamics, and Infrastructure Team Leader at Dome9 Security (Acq. by Checkpoint).”
About Firefly: Firefly’s Cloud Asset Management solution enables DevOps and Cloud teams to rediscover their entire cloud footprint, understand which parts of it are codified vs unmanaged, detect drifts to prevent service failures, and manage a single inventory of all their cloud resources across Multi-cloud, multi-accounts and Kubernetes deployments.
The summary of the show is written by Emily Nicholls.
Here is the automated and unedited transcript of the recording. Please note that the transcript has not been edited or reviewed.
Swapnil Bhartiya: Hi, this is your host Swapnil Bhartiya and welcome to TFiR Let’s Talk, and today we have with us Sefi Genis, CTO and co-founder at Firefly. Sefi, it’s great to have you on the show.
Sefi Genis: Thanks for having me.
Swapnil Bhartiya: And today we are going talk about infrastructure as code best practices, code security, visibility, cost, and a lot of other factors that impact IaC. But before we go there, I would love to know a bit about the company, because you’re also co-founder. Just tell me what is the company all about and why you created the company?
Sefi Genis: So Firefly is a cloud asset management solution, that brings clouds up to code. We scan the entire cloud footprint and Kubernetes cluster, and we codify everything to IaC, such as Terraform, Pulumi, CloudFormation, etc. Using our technology, we help DevOps teams to detect drifts between the cloud and IaC, and we can find classification and insights over the cloud for security, cost, and SRE purposes.
Swapnil Bhartiya: Now, we talked about what the company is all about. Can you also talk about what are the challenges that are there in the cloud-native, cloud-centric world when it comes to entity management?
Sefi Genis: Sure. So I’m going to talk about best practices. A few weeks ago, we launched our first open source tools called ValidIaC. We pronounce it as validiac. This tool helps validate best practices for infrastructures code and it combines few open source tools such as tfsec, tflint, infracost, and inframap, and I’m going to expand about them.
Sefi Genis: So tflint is a static code analysis tool that validates best practices for code, such as syntax error and etc. Tfsec is a static code analysis tool that helps to find a security vulnerabilities and misconfiguration for security purposes. Infracost is an open source tool that helps estimate the pricing for infrastructure as code resources, and inframap is an open source tool that generates a graph with the connection between resources.
Swapnil Bhartiya: You mentioned that you’re going to talk about some of the best practices. When we do look at best practices, there are two things, of course. There’s technology aspect, and then there is a people aspect. So can you also talk about the cultural people aspect as well there? So it’s also about the processes. Of course, technologies are there in place.
Sefi Genis: Sure. So the reason that we built this open source tool is because Terraform is challenging. I guess that you heard about the shift left approach. It means that instead of creating resources in the cloud, we use IaC to deploy them. And before the shift left approach, the only way to detect security issues or cost problems was only by using third party tools, such as a CSPM or CloudHealth.
Sefi Genis: But now you have open source tools that can help you detect everything before actually deploy them. And one more thing is that Terraform is challenging. I’m a developer. I have experience in Go, in Python, in OGS, and it was challenging for me to study Terraform. It’s the difference between declarative and imperative language.
Swapnil Bhartiya: Now, let’s talk about the open source aspect of it. You folks do a lot of open source. Why?
Sefi Genis: I decided to build a ValidIaC because I struggled with those open source tools by myself. I put them in my CICD pipeline. As a CTO it’s important for me to comply with best practices, and I need to deep dive into them, into the configuration etc. By the way, I saw that the Kubernetes community, that they have an open source tool called ValidKube that pretty much doing the same for Kubernetes CMS, and I wonder why our community, why the infrastructure as code community, why don’t we have a tool like that? And I also saw my customers struggling with best practices. That’s lead me to build this infrastructure as code open source.
Swapnil Bhartiya: So, the inspiration for ValidIaC came from ValidKube. Are you also leveraging any code from ValidKube as well, or it’s totally different project altogether?
Sefi Genis: Sure. So, it’s more than inspiration. We actually fork their GitHub repository, and we use their front end. For example, and we took their code and we just changed it to infrastructure as code open source.
Swapnil Bhartiya: You alluded to that in the beginning, but I am always curious about the actual and direct impact on a project or a products… on a developer’s life. So, can you talk about what immediate value ValidIaC brings to a developer’s or operator’s life?
Sefi Genis: As I mentioned before, in order to use those open source tools, you need to deep dive into them and into their configuration. ValidIaC it’s a browser-based tool that you can copy your Terraform configuration and paste it in validiac.com, and with one click, you can find the results of all of our checkers.
Sefi Genis: And I’ll give you some examples for that. The tflint can detect is there two instances with the wrong instance types. For example, if now we are going to deploy Terraform. If you’re going to deploy an EC2 with Terraform, Terraform won’t tell you that it’s a problem. Just when you apply this resource, you will get any error. And tflint helps to detect issues like that, name convention and etc.
Sefi Genis: One more thing is that tfsec open source tool that was created by Aqua Security help find a security vulnerability, misconfiguration, and etc. For example, if now you have a security group that is open to the entire world, so tfsec will find it. Or if you have an IM user without MFA configured, or S3 bucket that is exposed to the entire world, those examples are very important for validating.
Swapnil Bhartiya: One more thing is with opensource, we were talking about opensource earlier, is that opensource helps solve day one problem. You can get the code from GitHub or wherever you’re putting the code, get it started, but you need feature, you need support. So, that’s where commercialization of opensource also plays a big role. Can you also talk about how is Firefly offering support for ValidIaC to potential customers or users?
Sefi Genis: So ValidIaC is an open source tool. Just an open source tool, but Firefly is a cloud asset management solution, and we put the ValidIaC inside our system. For example, if now we use Firefly to codify resources from the cloud to Terraform, you can use internally in Firefly, you can use ValidIaC to make sure that your Terraform configuration is set with best practices for security, for cost, and etc.
Swapnil Bhartiya: Can you also talk about how easy or difficult it is to use ValidIaC?
Sefi Genis: So ValidIaC is very easy to use. It’s a browser-based tool that you can copy your Terraform configuration and with one click, you can get the results of all the checkers. You can also download ValidIaC to your local machine and run it, run the CLI using Docker or just run it.
Swapnil Bhartiya: What is the importance for developers, or depends on the whole DevOps teams, to not only understand about IaC, but also understand, learn about its tools as well?
Sefi Genis: Infrastructure as code today is the only way to manage cloud. I’ll give you some example. Before Terraform, before Terraform cloud formation, etc., you created the resources in the cloud using ClickOps, and it was not manageable. I mean, for example, if you want to manage multi environments such as production, staging, QA, etc., the only way to manage everything is using immutability, and infrastructure as code helps you to create a group of resources and deploying those environments.
Swapnil Bhartiya: You’re looking at one problem areas, and that’s why you created ValidIaC. What are the other challenges that you’re seeing that users who are embracing infrastructure as code are facing in general?
Sefi Genis: Sure. So, difficult problems in infrastructure as code is drifts. For example, you can create resources using Terraform, deploy them to the cloud, but someone changes the configuration behind. It means that it could be a person or it could be automation. Imagine, for example, that you create a security group in the cloud, and someone open it to the entire world. So in Firefly, by the way, we work a lot with drift, we detect them, and we automatically fix them.
Swapnil Bhartiya: Sefi, thank you so much for taking time out today and, of course, talk about ValidIaC project, but also explain a bit about the challenges that are there for those who are embracing infrastructure as code, and share your insights to help them. Thanks for those insights, and I would love to have you back on the show. Thank you.
Sefi Genis: Thank you so much. It was my pleasure to join here today.