What is Overmind CLI?

Overmind CLI is a powerful tool for real-time impact analysis on Terraform changes. By leveraging Overmind's capabilities, you can identify and mitigate potential risks before they harm your infrastructure, ultimately giving you the insight of a post-mortem without the associated fallout.

Installation

MacOS

To install on Mac with homebrew use:

brew install overmindtech/overmind/overmind-cli

Windows

Install using winget:

winget install Overmind.OvermindCLI

Or manually download the latest release, extract overmind.exe, and add to your PATH

Ubuntu / Debian

Set up the repository automatically:

curl -1sLf \
  'https://dl.cloudsmith.io/public/overmind/tools/setup.deb.sh' \
  | sudo -E bash

Or set it up manually

apt-get install -y debian-keyring  # debian only
apt-get install -y debian-archive-keyring  # debian only
apt-get install -y apt-transport-https
# For Debian Stretch, Ubuntu 16.04 and later
keyring_location=/usr/share/keyrings/overmind-tools-archive-keyring.gpg
# For Debian Jessie, Ubuntu 15.10 and earlier
keyring_location=/etc/apt/trusted.gpg.d/overmind-tools.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/overmind/tools/gpg.BC5CDEFB4E37A1B3.key' |  gpg --dearmor >> ${keyring_location}
curl -1sLf 'https://dl.cloudsmith.io/public/overmind/tools/config.deb.txt?distro=ubuntu&codename=xenial&component=main' > /etc/apt/sources.list.d/overmind-tools.list
apt-get update

Then install the CLI:

apt-get install overmind-cli

RHEL

Set up the repository automatically:

curl -1sLf \
  'https://dl.cloudsmith.io/public/overmind/tools/setup.rpm.sh' \
  | sudo -E bash

Or set it up manually

yum install yum-utils pygpgme
rpm --import 'https://dl.cloudsmith.io/public/overmind/tools/gpg.BC5CDEFB4E37A1B3.key'
curl -1sLf 'https://dl.cloudsmith.io/public/overmind/tools/config.rpm.txt?distro=amzn&codename=2023' > /tmp/overmind-tools.repo
yum-config-manager --add-repo '/tmp/overmind-tools.repo'
yum -q makecache -y --disablerepo='*' --enablerepo='overmind-tools'

Then install the CLI:

sudo yum install overmind-cli

Alpine

Set up the repository automatically:

sudo apk add --no-cache bash
curl -1sLf \
  'https://dl.cloudsmith.io/public/overmind/tools/setup.alpine.sh' \
  | sudo -E bash

Or set it up manually

curl -1sLf 'https://dl.cloudsmith.io/public/overmind/tools/rsa.7B6E65C2058FDB78.key' > /etc/apk/keys/tools@overmind-7B6E65C2058FDB78.rsa.pub
curl -1sLf 'https://dl.cloudsmith.io/public/overmind/tools/config.alpine.txt?distro=alpine&codename=v3.8' >> /etc/apk/repositories
apk update

Then install the CLI:

apk add overmind-cli

Arch

Packages for Arch are available on the releases page for manual download and installation.

Getting Started

To see the impact and potential risks of a Terraform code change you've made locally, run overmind terraform plan from the root of your Terraform project. This command will inspect your checkout, run terraform plan, discover all your existing cloud resources, and create a report of all items that could be impacted by this change. Overmind will also provide an automated assessment of deployment risks. At no point will credentials or sensitive values be uploaded to Overmind systems.

Example Session

$ overmind terraform plan
### Check for a token locally, if it doesn't exist log the user in
Please sign-up/login at <https://app.overmind.tech/signup?code=1234-1234>
### Device OAuth flow
Authentication succeeded.
### Check to see if the user has any config about where the source should run
### If they don't, they will be prompted to choose
Choose how to access your AWS account (read-only):
> Use $AWS_PROFILE (currently: dogfood)
  Use a different profile
  Use the default settings # if AWS_PROFILE is not set
  Configure managed source (opens browser)
### Detect outdated topology cache and populate if necessary
Detected outdated topology cache, populating in the background...
Running `terraform plan`...
### Terraform plan output
Plan Complete! Submitting plan to Overmind...
✅ Mapping resources
✅ Stripping sensitive data
✅ Submitting changes to Overmind
✅ Discovering Blast Radius
✅ Blast radius graph ready, opening in browser: <https://app.overmind.tech/changes/02938475092387450928374059>
✅ Calculating risks
Plan complete: Expected Changes:
+ dns > www.google.com
~ ec2-instance > i-18b23b43h
- ip > 1.1.1.1
-/+ ec2-instance > i-18b23b43h (replaced)

Blast Radius: Items: 128 Edges: 350

### Potential Risks
- **Impact on Target Groups (High 🔥)**: Target groups may be indirectly affected if the security group change causes networking issues.
- **Impact on Load Balancer Traffic (Medium !)**: The restriction of egress traffic to just port 8080 could affect the distribution of traffic to backend services.
- **Misconfiguration of Egress Rules (Low ⁉)**: The security group change to port 8080 poses a risk of blocking other outbound traffic required by applications.

See this change in the graph: <https://app.overmind.tech/changes/1290380-28374-23498987>

To apply and track changes, run:
```sh
overmind terraform apply -file .overmind/plan.out

Applying Changes

When running overmind terraform apply, Overmind will strive to replicate the user experience of running terraform apply. It will generate a plan file but will not show this to the user. If the user specifies -file, Overmind will link the apply to an existing change rather than creating a new one. The yes/no decision will be made after the risks have been calculated.

For users running with -auto-approve, Overmind will skip the risk calculation step.

Reporting Bugs, Requesting Features, or Contributing to Overmind

• Want to report a bug or request a feature? Open an issue

License

See the LICENSE file for licensing information.