What is CloudTruth?
CloudTruth is a dynamic secrets and config engine that helps teams generate accurate, repeatable config and secrets for every deployment.
Centralizes access to all secrets, parameters, and ENV variables related to infrastructure provisioning, application configuration, and secrets management.
Input and output integrations connect with the tools you already use: Kubernetes, Terraform, Cloudformation, Vault, AWS Secret Manager, AWS Parameter Store, Azure Key Vault, GitHub, Ansible, Puppet, and many others.
With CloudTruth, you gain a single record of truth across all configuration settings, automatic change tracking, improving security, reliability, and team velocity.
Configuration is becoming distributed and decentralized, leading to an exponential increase in the number of settings required by each deployment across multiple environments. This is a hard problem to solve at scale.
Here's a brief explainer video:
Why do I need CloudTruth?
We interviewed hundreds of technology professionals across roles, ranging from CIO, CTO, and CISO to DevOps, SecOps and QA leaders. What we learned is that there needs to be a better way to track & orchestrate configuration changes.
Nearly everyone uses one tool for infrastructure as code (IaC) techniques to provision infrastructure, another tool to configure applications & services, and a separate third tool to store secrets. With the advent of IaC, Kubernetes, containers and serverless come new challenges, because there are multiple tools, spread across multiple teams, using hundreds of Git repositories to store configuration settings.
CloudTruth aggregates all configuration settings into one consolidated view, and then lets you use the data between tools.
Usage examples:
- Automatically configure applications from IaC tooling.
- Dynamically build and update Kubernetes ConfigMaps and secrets with centralized control.
- Track consistency between dev/test, staging, and production environments.
- Support multiple environments with inheritances and overrides.
- Use dynamic templating to streamline application configuration.
- SRE teams need to know what changed, by whom, and when, right before an outage or security incident.
- Share configuration file changes to team members who don’t have access to original sources (such as compliance, QA, audit & GRC teams.)
- QA groups manage multiple environments and need to know if a setting is changed that causes drift from standard configuration settings.
- A data science team will want to know when database configurations are changing before production rolls out.
- Compliance now have an easier way to track changes system-wide.
What does CloudTruth do?
CloudTruth is a configuration sync hub that provides a unified parameter store with the ability to source configuration settings from other locations. Also included is built-in support for multiple environments along with static and dynamic templating.
CloudTruth can also securely store secrets alongside other configuration data.
CloudTruth connects to your existing configuration tools such as Terraform, Ansible, Cloudformation, and parameter stores such as AWS SSM, Vault, and Git repo. This provides a single API, CLI and GUI to interact with all your configuration data from one place.
Why is CloudTruth different?
-
Tool-agnostic: CloudTruth lives alongside your existing configuration tools and works across multiple environments and IaC solutions.
-
Cloud-agnostic: CloudTruth is focused on the configuration data layer and works with multiple cloud providers. Starting with AWS support now and future support for Azure, GCP, IBM, DO, and other infrastructure providers.
-
Focused on change: Our initial offering is a centralized parameter store with the ability to source settings from other locations such as Terraform, AWS Parameter Store, and JSON/YAML stored in Github.
-
Built anticipating the evolution to containers, serverless and IaC: Configuration is becoming decentralized and distributed. DevOps, SRE, and core software developers are all now interacting with configuration tools. What’s missing is a single record of truth describing how an organization’s infrastructure and applications are configured.
Where is my data stored?
Your configuration data never leaves the source. Parameters and secrets can remain in your existing locations, such as AWS Parameter Store, AWS Secrets Manager, Azure Key Vault, HC Vault, or Git repos.
You can also optionally import your config data into CloudTruth. In that case, your data is stored in an AWS RDS database encrypted with an automatically generated KMS key (or you can supply your key.)
Additional account and system information are stored in an AWS database service.
What permissions does CloudTruth need?
CloudTruth needs read-only access permissions to in/out integrations such as S3, AWS SSM, and Github repositories.
What is the security model?
CloudTruth is created by experienced cloud technologists that have previously created massively scalable systems for data backup, archiving, compliance, and governance.
We follow the principle of least privilege access policies, with strong boundaries between environments and restricted access to production resources.
How much does CloudTruth cost?
CloudTruth offers a free community edition and Premium and Enterprise paid tiers.
More information can be found on our pricing page.