Unmanaged Resource Detection

Overview

Including Infrastructure as Code (IaC) in your architecture is a big step towards shifting your assets, allowing you to solve issues in bulidtime - i.e., before they become effective in the cloud runtime environment. While your organization might not wish to fully manage its runtime infrastructure by IaC (for various reasons), some of your running assets might still need to be backed by IaC templates - and you should be aware which of them are backed that way and which are not.
To meet this need, Bridgecrew supports unmanaged resource detection. An Unmanaged resource is a runtime resource that was not created by a buildtime template. The suggested fix for this use case is to create an equivalent buildtime template that you can manage using an IaC service (Terraform or CloudFormation).
By integrating both your CSP accounts and your repositories with Bridgecrew, you can discover unmanaged resources that should potentially be managed by Terraform or CloudFormation. This way, you can have all of your cloud resources codified and aligned with IaC frameworks.

Discovering Unmanaged Resources in Bridgecrew

Info and fix suggestions for unmanaged resources are available via the Incidents and Policies pages.

Incidents

Prerequisites

To be able to access issues in unmanaged resources in the Incidents page, ensure of the following:

  1. You have integrated your runtime accounts with Bridecrew so that they can be scanned.
  2. You have integrated VCS repositories storing the relevant IaC files code for selected runtime accounts.
  3. You have Traceability enabled via yor_trace on top of your Terraform and CloudFormation resources to redeploy your infrastructure. Unmanaged resource detection is also supported for CFN-based environments without yor_trace tagging and works Out-of-the-Box. For more details on how to enable traceability, see Traceability.

Unmanaged Resources Incidents

In the Incidents screen, the relevant policy for unmanaged sources is: Ensure all runtime resources are deployed and managed by infrastructure as code templates. You can access it by searching for it, or filter the results by Untraced - the light gray part of the pie chart displayed at the top right of the results page. Clicking on this part displays errors only in untraced resources, i.e. unmanaged resources.

1371

To view errors and fix suggestions in an unmanaged resource:

  1. Select one of the resources in the relevant error box.
    In the example below, there are two types of resources - a CloudFormation resource and a Terraform resource.
1367
  1. In the Resource Explorer pane, under the Errors tab, you can see the code (CloudFormation or Terraform) that describes an equivalent template for the already-running resource. [screenshots of each]
  2. Click Copy to copy the code to your clipboard and use it according to your needs, e.g. pasting it in your VCS.
1368

CloudFormation suggested template

Policies

You can use the Search function to find the Ensure all runtime resources are deployed and managed by infrastructure as code templates policy, view its guidelines and add a suppression, if you wish.

1142