Common questions and answers about the configuration command center ConfigOps platform.

What is CloudTruth?

CloudTruth is a dynamic secrets and config engine that helps teams generate accurate, repeatable config and secrets for every deployment.

Centralizes access to all secrets, parameters, and ENV variables related to infrastructure provisioning, application configuration, and secrets management.

Input and output integrations connect with your tools: Kubernetes, Terraform, Cloudformation, Vault, AWS Secret Manager, AWS Parameter Store, Azure Key Vault, GitHub, Ansible, Puppet, and others.

With CloudTruth, you gain a single record of truth across all configuration settings, automatic change tracking, improving security, reliability, and team velocity.

Configuration is becoming distributed and decentralized, leading to an exponential increase in the settings required by each deployment across multiple environments. This is a hard problem to solve at scale.


Why do I need CloudTruth?

We interviewed thousands of technology professionals across roles, ranging from CIO, CTO, and CISO to DevOps, SecOps, and QA leaders. We learned that there needs to be a better way to track & orchestrate configuration changes.

Nearly everyone uses one tool for infrastructure as code (IaC) techniques to provision infrastructure, another tool to configure applications & services, and a separate third tool to store secrets. With the advent of IaC, Kubernetes, containers, and serverless come new challenges because multiple tools are spread across multiple teams, using hundreds of Git repositories to store configuration settings.

​CloudTruth aggregates all configuration settings into one consolidated view and lets you use the data between tools.

Usage examples:

  • Automatically configure applications from IaC tooling.

  • Dynamically build and update Kubernetes ConfigMaps and secrets with centralized control.

  • Track consistency between dev/test, staging, and production environments.

  • Support multiple environments with inheritances and overrides.

  • Use dynamic templating to streamline application configuration.

  • SRE teams need to know what changed, by whom, and when right before an outage or security incident.

  • Share configuration file changes with team members who don’t have access to original sources (such as compliance, QA, audit & GRC teams.)

  • QA groups manage multiple environments and need to know if a setting that causes drift from standard configuration settings is changed.

  • A data science team will want to know when database configurations change before production.

  • Compliance now has an easier way to track changes system-wide.

What does CloudTruth do?

​CloudTruth is a ConfigOps platform that provides a unified parameter store that can source configuration settings from other locations. Also included is built-in support for multiple environments and static and dynamic templating.

CloudTruth can also securely store secrets alongside other configuration data.

CloudTruth connects to your existing configuration tools, such as Terraform, Ansible, and Cloudformation, and parameter stores, such as AWS SSM, Vault, and Git repo. This provides a single API, CLI, and GUI to interact with all your configuration data from one place.

Why is CloudTruth different?
  • Tool-agnostic: CloudTruth lives alongside your existing configuration tools and works across multiple environments and IaC solutions.

  • Cloud-agnostic: CloudTruth is focused on the configuration data layer and works with multiple cloud providers. Starting with AWS support now and future support for Azure, GCP, IBM, DO, and other infrastructure providers.

  • Focused on change: Our initial offering is a centralized parameter store that can source settings from other locations such as Terraform, AWS Parameter Store, and JSON/YAML stored in Github.

  • Built anticipating the evolution to containers, serverless, and IaC: Configuration is becoming decentralized and distributed. DevOps, SRE, and core software developers now interact with configuration tools. What’s missing is a single record of truth describing how an organization’s infrastructure and applications are configured.

Where is my data stored?

Your configuration data never leaves the source. Parameters and secrets can remain in your existing locations, such as AWS Parameter Store, AWS Secrets Manager, Azure Key Vault, HC Vault, or Git repos.

You can also optionally import your config data into CloudTruth. In that case, your data is stored in an AWS RDS database encrypted with an automatically generated KMS key (or you can supply your key.)

Additional account and system information are stored in an AWS database service.

A self-hosted version is available to keep all your data and processing in your own VPC.

What permissions does CloudTruth need?

CloudTruth needs read-only access permissions to in/out integrations such as S3, AWS SSM, and GitHub repositories.

What is the security model?

CloudTruth is created by experienced cloud technologists who have previously created massively scalable systems for data backup, archiving, compliance, and governance.

We follow the principle of least privilege access policies, with strong boundaries between environments and restricted access to production resources.

Last updated

Copyright© 2023 CloudTruth