August 22, 2023
Curtis Castrapel

IAMbic and Terraform: Elevating IAM Together

When companies talk about their affinity for Terraform, the thought of "switching" weighs heavy. But, IAMbic doesn't ask you to switch – it's here to enhance. By integrating with Terraform and other IaC tools, it reinforces their strengths, adding that extra layer of centralized visibility and auditing for all of your IAM.

When done right, DevOps and cloud infrastructure implementations often remind me of a well-constructed staircase. Each step is vital, and every tool has its unique place and purpose, building on the base. Terraform often provides the foundational steps of many teams’ IAC, provisioning and managing infrastructure seamlessly. But when we ascend the staircase and focus on challenges that DevOps and Security teams face regarding access and identity at scale, specialized tools can present a better, more sustainable and manageable solution. 

Shift-left continues to revolutionize the industry. It has democratized infrastructure management, and now, with IAMbic, we focus on shifting access and identity management left, allowing development teams to manage both user and service identities directly. 

However, like a staircase missing a step, there's a risk of stumbling when moving to IAM as code. Cloud identities are often (read: always) dispersed across multiple code repositories, intricately woven in HCL with its conditions, variables, and loops. It's a dream for developers but can be a nightmare for central teams to track, especially when the onus falls on them to detect and revert risky permission changes, remove unused cloud identities, and delete unused cloud credentials.

When a development team transitions to a new project, they commonly leave behind a labyrinth of cloud resources and identities. These digital remnants become dormant but are far from harmless, existing like unexploded mines in the landscape of your infrastructure. In traditional Infrastructure-as-Code (IaC) setups like Terraform, making changes to these idle resources is fraught with risk, due to the way state management is configured. 

In Terraform's stateful approach, all resources are interconnected. A modification to one can have unintended ripple effects on others, jeopardizing the stability of the entire cloud environment. It's like pulling a thread in a tapestry; you never know what part might unravel as a result. This makes it a high-stakes endeavor for DevOps and Security teams to clean up these dormant resources without causing disruptions elsewhere.

How Does IAMbic Fit In?

IAMbic is a collaborative tool designed for developers, DevOps/SRE/cloud administrators, and security teams. It enables access and identify as a collective effort, not a solo endeavor, and no longer siloed.

Just as every step on a staircase supports the next, IAMbic isn't here to replace your current IaC solutions. It's here to complement them. In the vast cloud landscape where Cloudformation, Terraform, Pulumi, ClickOps, and others co-exist, expecting one tool to dominate is unrealistic. IAMbic is that stabilizing handrail, guiding you up the staircase without disrupting your stride.

Taking the Steps with IAMbic

First Step: Lay the foundation

Start by capturing the current state of IAM across your cloud provider with IAMbic. You'll be able to monitor changes and trace them back to their origin, all through Git. If you’re simply looking for visibility and auditing, this step alone provides immense value. You do not need to use IAMbic to manage resources if you do not want to.

Second Step: Take Ownership of Shared Resources

For those in central DevOps or cloud security teams, the best way to begin is with resources you already control, such as Service Control Policies (SCPs), shared IAM roles, or AWS Identity Center Permission Sets. By migrating these to IAMbic, you'll have a simplified, centralized hub for managing these resources, regardless of how they were initially created or modified.

Third Step: Empower Developers and Standardize Requests

Developers should use the tools that work best for them. IAMbic makes it easier to guide them down “paved roads” for requesting the right amount of cloud permissions. With IAMbic, it becomes simpler to flag over-privileged or risky permissions, offering a centralized hub to make auditing and decision-making more straightforward. IAMbic provides a native GitOps self-service experience that anyone can use, regardless of their IAM expertise. The Noq Enterprise Platform takes this a step further with click-through self-service flows that help users make access and permissions requests easily. These are translated into pull requests in your version control system that you have full control over.

Fourth Step: Trim the Fat

Now that you have a centralized IAM repository, it's time to clean house. Use IAMbic to quickly identify and remove risky or unused permissions. Unlike Terraform, IAMbic allows for swift, uncomplicated permission changes that can easily be rolled back with a simple Git revert, ensuring the integrity of your IAM environment. There is no state to contend with. The Noq Platform provides a comprehensive suite of tools to help you identify unused cloud identities (like IAM roles), credentials (like IAM User Access Keys or Console Passwords), cloud permissions, and more.

Comparing Steps: IAMbic vs. Terraform

Feature IAMbic Terraform (or other IaC)
Multi-Account AWS and Orgs Native Support 3rd Party Tools (Terragrunt, etc)
Declarative Temporary
Native Support No
Imports current IAM
to VCS
Yes 3rd Party Tools
(Limited to single AWS Account)
Auto-commits new IAM
changes to VCS
Yes No
Cloudtrail Attribution for IAM changes Yes No
Bi-Directional Sync Yes No
Drift Prevention Yes Limited
Central Source of Truth
for current state of all IAM
Yes No
Multi-Cloud Support Currently AWS, Azure AD, Okta, and Google Workspace,
with more coming soon.
Language YAML HCL
Open Source Yes No
Governance & Compliance Native in VCS No
Community Support Growing Strong

When companies talk about their affinity for Terraform, the thought of "switching" weighs heavy. But, IAMbic doesn't ask you to switch – it's here to enhance. By integrating with Terraform and other IaC tools, it reinforces their strengths, adding that extra layer of centralized visibility and auditing.

In the end, consider IAMbic as that added step or handrail on your DevOps staircase – ensuring you move forward with balance, clarity, and confidence.

Curtis Castrapel

Noq Founder

The First IAM Ops Platform for AWS

Learn More