In the dynamic landscape of Infrastructure-as-Code (IaC), aligning your resources with your code is a constant challenge. This misalignment, commonly known as drift, can occur when resources are manually added, updated, or removed outside of your IaC scripts. 

Enter env0, a powerful platform that offers a trio of capabilities – drift detection, scheduling, and approval policies – to facilitate what we like to call ‘smart’ auto remediation.

Auto Scheduling

Automation is the backbone of modern IT management. With env0's scheduling capability, you can automatically trigger deployments and destroys on a predefined schedule. 

This means that your environments can be kept in a consistent state, reducing the risk of drift and making sure that your infrastructure always aligns with your code.

Approval Policies

env0 brings a sophisticated touch to policy enforcement through the use of Open Policy Agent (OPA) and .rego files. These policies, located within your repository, ensure that deployments meet your organization's standards and requirements. 

During the deployment process, an approval step is executed after the plan and cost estimation phases. The deployment may then proceed, pause for further approval, or even be canceled depending on different factors—the policies, deployment type, and other relevant data.

Auto Remediation

By combining scheduling and approval policies, you achieve ‘smart’ auto remediation. 

Imagine automatically detecting drift in your environment, triggering a remediation deployment on a schedule, and ensuring that it adheres to your organization's policies before proceeding. 

This level of automation, monitoring, and enforcement keeps infrastructure 

  1. In sync with your IaC code 
  2. Compliant with your organization's standards

With our platform, you can attain ‘smart’ auto remediation that keeps your infrastructure at its best, effortlessly aligning your real-world resources with your IaC code.

env0 drift detection serves as the watchful guardian of your infrastructure. By setting up scheduled deployment tasks that conclude with an examination of the [.code]terraform plan[.code] output, env0 automatically detects drift in your environment. 

When drift is detected, you're promptly alerted so you can take corrective actions before it becomes a bigger problem.

For example, you can detect drifts in S3 buckets. If it's something simple, like missing tags, you can enable policy in a .rego file that allows for any minor changes like updates (but not deletions or creations) to take immediate effect (see the video below to watch this in action).

For a full video walkthrough, watch the tutorial below:

Transcript

 Hello env0 user. My name is Andrew. I want to show you drift detection and remediation within env0. So let's get first started on what are the benefits of drift detection and remediation. Drift detection is whenever your code is drifted from your cloud resource. So drift detection will notify you when this occurs.

Of course, there are two ways this can occur. One is if the code has been updated, but not the cloud resource; or if the cloud resource has been changed, but not the code. 

So, in either scenario, we want to get notified when there's this discrepancy. And then for remediation, sometimes we were saying code is the source of truth.

Maybe it's not always. For example, if you're updating a tag, sure, we can just automatically approve those changes and remediate those, those tag changes. 

But what if we made a hotfix to a security group and didn't have time to change the code? In that scenario, you don't necessarily want auto remediation in the sense of the code is going to overwrite the cloud resource.

You may introduce whatever bug or issue that you had that you had to fix anyway, so how can we remediate in a smart manner in env0? What we do is we have a scheduled deployment with approval policies that will enable the smart auto remediation. 

Let me show you that in action before I do that. Let me quickly show you how drift detections look in env0.

You get a Slack or Teams notification. And in your environment, you get a result of “drifted” on the plan stage. You can see exactly kind of a summary of those drifts and click into it to find out exactly what changed here. I have another drifted environment, this S3 bucket. And if we look at the run in the plan, we can see here.

This bucket is some tags that have been deleted. So going back to that scenario, because these are just tags being missed, uh, that are missing, I want to have it auto automatically remediated. So inside the environment, what I've done already is configured a scheduled deployment. So this will deploy every two hours.

And on the project, I've also enabled an approval policy.

So in my git repo, I have this open policy agent or rego file that defines when to allow, automatically allow the deployment to continue. In this scenario, what I'm saying is, if there are any deletions, Or if there are any creations, I will not allow it, but if it's just updates, then I will allow. So you can, of course, make this tailored to your needs.

For example, again, going back to that scenario, just checking for tags, or if you need a security group, it’ll require an approval process in env0. To simulate the scheduled deployment, I will go ahead and manually deploy.

And we'll let that run.

We can see the approval policy automatically allowed this deployment. We can see the message here, prove automatically for updates only. If I go back into the plan and inspect the plan, you can see here that I'm only updating these tags. 

Okay, great. The deployment is now complete.. The tags have been updated.

And I hope this shows you how with env0's scheduled deployments and approval policies, you too can implement smart auto remediation. If you have any questions, please feel free to reach out. I look forward to hearing from you.

In the dynamic landscape of Infrastructure-as-Code (IaC), aligning your resources with your code is a constant challenge. This misalignment, commonly known as drift, can occur when resources are manually added, updated, or removed outside of your IaC scripts. 

Enter env0, a powerful platform that offers a trio of capabilities – drift detection, scheduling, and approval policies – to facilitate what we like to call ‘smart’ auto remediation.

Auto Scheduling

Automation is the backbone of modern IT management. With env0's scheduling capability, you can automatically trigger deployments and destroys on a predefined schedule. 

This means that your environments can be kept in a consistent state, reducing the risk of drift and making sure that your infrastructure always aligns with your code.

Approval Policies

env0 brings a sophisticated touch to policy enforcement through the use of Open Policy Agent (OPA) and .rego files. These policies, located within your repository, ensure that deployments meet your organization's standards and requirements. 

During the deployment process, an approval step is executed after the plan and cost estimation phases. The deployment may then proceed, pause for further approval, or even be canceled depending on different factors—the policies, deployment type, and other relevant data.

Auto Remediation

By combining scheduling and approval policies, you achieve ‘smart’ auto remediation. 

Imagine automatically detecting drift in your environment, triggering a remediation deployment on a schedule, and ensuring that it adheres to your organization's policies before proceeding. 

This level of automation, monitoring, and enforcement keeps infrastructure 

  1. In sync with your IaC code 
  2. Compliant with your organization's standards

With our platform, you can attain ‘smart’ auto remediation that keeps your infrastructure at its best, effortlessly aligning your real-world resources with your IaC code.

env0 drift detection serves as the watchful guardian of your infrastructure. By setting up scheduled deployment tasks that conclude with an examination of the [.code]terraform plan[.code] output, env0 automatically detects drift in your environment. 

When drift is detected, you're promptly alerted so you can take corrective actions before it becomes a bigger problem.

For example, you can detect drifts in S3 buckets. If it's something simple, like missing tags, you can enable policy in a .rego file that allows for any minor changes like updates (but not deletions or creations) to take immediate effect (see the video below to watch this in action).

For a full video walkthrough, watch the tutorial below:

Transcript

 Hello env0 user. My name is Andrew. I want to show you drift detection and remediation within env0. So let's get first started on what are the benefits of drift detection and remediation. Drift detection is whenever your code is drifted from your cloud resource. So drift detection will notify you when this occurs.

Of course, there are two ways this can occur. One is if the code has been updated, but not the cloud resource; or if the cloud resource has been changed, but not the code. 

So, in either scenario, we want to get notified when there's this discrepancy. And then for remediation, sometimes we were saying code is the source of truth.

Maybe it's not always. For example, if you're updating a tag, sure, we can just automatically approve those changes and remediate those, those tag changes. 

But what if we made a hotfix to a security group and didn't have time to change the code? In that scenario, you don't necessarily want auto remediation in the sense of the code is going to overwrite the cloud resource.

You may introduce whatever bug or issue that you had that you had to fix anyway, so how can we remediate in a smart manner in env0? What we do is we have a scheduled deployment with approval policies that will enable the smart auto remediation. 

Let me show you that in action before I do that. Let me quickly show you how drift detections look in env0.

You get a Slack or Teams notification. And in your environment, you get a result of “drifted” on the plan stage. You can see exactly kind of a summary of those drifts and click into it to find out exactly what changed here. I have another drifted environment, this S3 bucket. And if we look at the run in the plan, we can see here.

This bucket is some tags that have been deleted. So going back to that scenario, because these are just tags being missed, uh, that are missing, I want to have it auto automatically remediated. So inside the environment, what I've done already is configured a scheduled deployment. So this will deploy every two hours.

And on the project, I've also enabled an approval policy.

So in my git repo, I have this open policy agent or rego file that defines when to allow, automatically allow the deployment to continue. In this scenario, what I'm saying is, if there are any deletions, Or if there are any creations, I will not allow it, but if it's just updates, then I will allow. So you can, of course, make this tailored to your needs.

For example, again, going back to that scenario, just checking for tags, or if you need a security group, it’ll require an approval process in env0. To simulate the scheduled deployment, I will go ahead and manually deploy.

And we'll let that run.

We can see the approval policy automatically allowed this deployment. We can see the message here, prove automatically for updates only. If I go back into the plan and inspect the plan, you can see here that I'm only updating these tags. 

Okay, great. The deployment is now complete.. The tags have been updated.

And I hope this shows you how with env0's scheduled deployments and approval policies, you too can implement smart auto remediation. If you have any questions, please feel free to reach out. I look forward to hearing from you.

Logo Podcast
With special guest
Andrew Brown

Schedule a technical demo. See env0 in action.

CTA Illustration