DevOpsLinks

Governance grows teeth without killing velocity: policy-enforced health alerts, approvable env configs, and zero‑downtime flips alongside eBPF‑native tracing and pipelines that auto‑lock compromised accounts. AI writes tests and unmasks malware, Perplexity tests your robots.txt, and Terraform reminds us the docs can lie—the details are where the wins are, so dig in.
🚨 Azure Service Health Built-In Policy (Preview) – Now Available!🔄 Blue‑Green Deployment in 1 diagram and 195 words🔬 Building on the foundation of OpenTelemetry eBPF Instrumentation: what’s new in Grafana Beyla 2.5🤖 From Manual Testing to AI-Generated Automation: Our Azure DevOps MCP + Playwright Success Story🛡️ How to automatically disable users in AWS Managed Microsoft AD based on GuardDuty findings✅ Introducing Approvals in Pulumi ESC🕷️ Perplexity is using stealth, undeclared crawlers to evade website no-crawl directives🧠 Project Ire autonomously identifies malware at scale⚠️ Terraform Validate Disagrees with Terraform Docs🛠️ Writing an internal Terraform provider from A to Z

Less guesswork, more guardrails—go build.

Have a great week!
FAUN.dev Team

Microsoft just dropped Azure Service Health Built-In Policy (Preview). It lets teams push Service Health alerts across every Azure subscription—automatically—using Azure Policy. No more piecemeal setup.

It folds in AMBA lessons, supports custom rules and action groups, and locks in alert coverage at the management group level. Scale? Check. Consistency? Finally.

Cybersecurity professionals can now launch Kali Linux in a virtualized container on macOS Sequoia using Apple's new containerization framework. Apple announced a new framework at WWDC 2025, allowing Apple Silicon hardware to run isolated Linux distros in a virtualized environment. There are limitations to the feature, as it's only available on Apple Silicon and has bugs related to networking.

Microsoft just dropped Project Ire, an autonomous AI that tears through software like a experienced reverse engineer. It decompiles, analyzes, classifies malware—all on its own. Under the hood: LLMs, decompilers, and a tool-use API running the show.

On public Windows driver datasets, it scored 0.98 precision and 0.83 recall, and even called out APT malware that slipped past older detection tools.

Pulumi ESC just leveled up with Approvals—structured reviews for environment config changes, straight from Console, CLI, SDK, or VS Code. Think pull requests, but for your infra settings. No more YOLO updates.

Teams can now lock down config changes with required sign-offs. More control. Cleaner logs. Real governance.

What’s the big deal?
Config management finally plays by the same rules as code: reviewable, auditable, and access-controlled.

Grafana Beyla 2.5 goes all-in on upstream OpenTelemetry eBPF Instrumentation, baking it right into the core. This release adds auto-instrumentation for MongoDB and JSON-RPC, manual spans in Go, and tighter trace correlation for NodeJS.

New in town: survey mode. Think lightweight service discovery—no full-blown instrumentation needed.

AWS just dropped a new threat-response setup that ties GuardDuty, EventBridge, Step Functions, and Systems Manager Run Command into one clean pipeline. The goal? Hunt for EC2 threats and lock down Active Directory accounts—automatically.

GuardDuty kicks off the flow when it spots trouble. From there, EventBridge routes the signal, Step Functions handles the logic, and Systems Manager hits AD with the lockout.

Bigger picture: This isn’t just a clever workflow. It’s part of the shift toward wiring security into your stack—natively, instantly, and without humans in the loop.

In observing Perplexity's stealth crawling behavior, it was noted that they obscure their crawling identity in an attempt to circumvent website preferences by modifying user agents and changing ASNs. Despite being blocked, Perplexity's crawlers continued to try to access restricted content, using undisclosed IPs and user agents.

ICMP runs behind the scenes of tools like ping and traceroute, tossing out control messages—Echo, TTL Expired, Destination Unreachable—that help map out networks. But it trusts too easily. That leaves it open to DDoS amplification, MITM through Redirect, and fingerprinting via Timestamps.

Terraform’s CLI will throw errors on configs that match the docs—because your local provider schema might be stale or out of sync. Docs follow the latest release. Your machine might not.

So even supported fields can break validation. Love that for us.

Typeform rolled their own Terraform provider to wrangle runtime data through an internal API. Built with HashiCorp’s Go SDK, the official scaffolding framework, and wired up with acceptance tests for full lifecycle muscle.

They skipped the public Terraform Registry entirely. Instead, they shipped provider binaries as GitHub release artifacts, then rigged installs through a local filesystem mirror with a custom Terraform CLI config.

System shift: More teams are ditching private registries, going lean with internal providers tailored to their stack. Easier infra-as-code. No middleman.

A team wired up Azure DevOps’ MCP server with GitHub Copilot to crank out Playwright end-to-end tests from manual test cases. They now run tests on demand from Azure Test Plans, convert entire test suites in bulk, and drop the results into CI pipelines—no hand-holding required.

System shift: AI's not just helping QA. It's rewriting it—turning old-school manual test cases into prompt-powered automation.

Blue-Green deployment runs two matching environments so you can flip traffic with zero downtime—and yank it back fast if something breaks.

Kubernetes + Istio and Spinnaker handle the heavy lifting. They steer traffic between versions and keep infra lean.

An open-source AI agent that brings the power of Grok directly into your terminal.

CheckCle is a self-hosted, open-source monitoring platform for seamless, real-time full-stack systems, applications, and infrastructure. It provides real-time uptime monitoring, distributed checks, incident tracking, and alerts. All deployable anywhere.

Linux Bash Script for the Paranoid Admin on a Budget - real-time monitoring and active threat response

Simple API monitoring & analytics for Go apps

Google’s Site Reliability Engineering approach to error-budget monitoring often employs multi-window, multi-burn-rate alerting, rather than relying solely on raw error percentages. For a typical 30-day SLO, a fast-burn alert might trigger when the error budget is consumed at 14.4× the expected rate over both a short (5 min) and a long (1 h) window, while a slow-burn alert might fire for 6× over 30 min and 6 h, or even 2% in 1 h and 5% in 6 h—all based on the corresponding burn-rate thresholds. This design catches sudden degradations swiftly without alert fatigue from short blips. You can implement this logic using Prometheus recording rules or tools such as Grafana, Sloth, or OpenSLO.

This Week’s Human is Andrew Foe, founder building NVIDIA-powered edge datacenters at HyperAI and a 20+ year cloud/AI practitioner. He’s helped hosting partners become cloud providers, led IoDis to NVIDIA Elite Partner status, and ships sustainable GPU infrastructure (A100/H100/L40S). Previously with Dell, HP, Lenovo, and more, he’s worked with teams at Booking.com, Leaseweb, and AMS-IX to turn complex infrastructure into systems that actually run.