Gruntwork announced the beta availability of Patcher, a tool to automatically keep infrastructure as a code updated, even after breaking changes.
Patcher, at the time of writing, allows upgrading the reference architecture from version 1.4 to 1.5 of the CIS AWS Foundation Benchmark, pulling in over 200 changes and fixing three breaking changes. The reference architecture is a bunch of suggestions and best practices to assemble the Infrastructure as Code Library from Gruntwork, into an end-to-end tech stack on AWS. The goal of Patcher is to allow users to manage all the upgrades of the Gruntwork Infrastructure as Code Library, with a series of operations performed automatically.
Patcher can be installed easily from the GitHub repo (at the time of writing, the repository access needs to be requested to Gruntwork). Patcher uses Docker to perform upgrades in a sandboxed environment.
After installation, to upgrade an IaC repository, Patcher performs the following steps:
- discover the updates of the dependency
- apply patches for breaking changes
- review the changes
- deploy
Patcher discovers and updates dependency with the command:
patcher upgrade
The tool analyzes the source code and automatically discovers dependencies, the version of each dependency, and if there are new versions. In the following example, Patcher found some dependencies that need upgrading.
How to Patcher shows the dependencies that need updates
Patcher allows the maintainers to define a patch that specifies how to transform the code to manage the breaking changes. The patches to apply to the code are described by YAML files. Patcher executes the steps defined in the YAML code which can be arbitrary commands. For example, the patch for tflint (a way to enforce a new recommendation related to security groups), can be specified as:
name: "Add tflint hook to Terragrunt configuration for CIS compliance checks"
author: Gruntwork <gruntwork.io>
image: gruntwork/patcher_bash_env:v0.0.12
steps:
- name: "Create tflint configuration"
run: create_tf_lint_config.sh
- name: "Add to the root terragrunt.hcl a hook for tflint"
run: add_hook.sh
Patcher performs the upgrades in the defined Docker image which makes code portable and keeps the user safe by limiting what the image could see and do. When Patcher finishes, a summary of all the patches applied is shown. In this way, the user can review the changes and apply them.
The review can be easily done with git diff, because Patcher saves all the changes in the local repository. The user can then decide to commit all the changes or make some changes.
Git diff after Patcher upgrade
In the previous screenshot, Patcher made some changes as part of the upgrade from CIS 1.4 to 1.5, applying some patches.
The first release of Patcher is focused on supporting the migration of CIS from 1.4 to 1.5, but the vision of Gruntwork is to automate all the updates for Gruntwork Infrastructure as Code and Reference Architecture.