Pulumi adds registry to share secure IaC code
Pulumi this week added a public ledger to its portfolio that makes it easier to discover packages that have been created using its tools to manage infrastructure as code (IaC).
Joe Duffy, CEO of Pulumi, said the Pulumi ledger will make it easier for DevOps teams to share and reuse IaC tools that have been verified instead of always requiring each development team to write new code every time they go. it wants to provision the infrastructure programmatically. Pulumi packages provide modern cloud reference architectures in the form of software development kits (SDKs), sample code, and how-to guides.
In addition to the major cloud service providers, there are also Pulumi provider packages for Auth0, CloudFlare, Confluent Cloud, Datadog, DigitalOcean, Docker, GitHub, Kong, MinIO, MongoDB Atlas, PagerDuty, Snowflake, Spot by NetApp, and others.
There are also Pulumi component packages for deploying container applications to instances of Kubernetes and other related platforms, in addition to deploying applications to serverless IT infrastructures.
Duffy said that in addition to providing a “golden picture” of their configurations, the registry reduces the overall level of friction that often exists between developers, IT operations teams, and cybersecurity professionals.
The latest Pulumi offering is part of an ongoing effort to democratize cloud computing in a repeatable and reliable manner, Duffy noted. Pulumi, for example, just added support for a set of AWS Cloud Control application programming interfaces (APIs) that reduce the number of APIs that developers would otherwise have to master. The more APIs, the more likely a developer is to make a mistake.
IT teams should expect other cloud service providers to similarly streamline the APIs they present to developers as part of an effort to make their services both more accessible and secure. In the meantime, the frameworks provided by Pulumi provide a way to invoke these lower level APIs at a higher level of abstraction for developers and internal IT operations teams.
It is not yet clear exactly how many developers use IaC tools on a regular basis, but as the number of workloads deployed in the cloud steadily increases, so does the percentage of developers who use these tools. While this change represents a major productivity boon for developers, it comes with additional security risks that many organizations fail to appreciate until it’s too late.
The only way to really solve this problem is for organizations to adopt DevSecOps best practices that require a level of collaboration between DevOps and security teams that is still relatively rare. However, as the tooling provided continues to improve, the technical challenges associated with achieving this goal continue to diminish. The next big issue, as always, is bringing all the diverse cultures together within an IT organization to actually implement these tools and define a set of best practices that work for everyone involved.