gptscript and Terraform
Curtis Collicutt
Facilitating Security Outcomes | Security Solutions Engineer @Sysdig
On the one hand, there's a lot of excitement around AI, especially Generative AI (GenAI), perhaps too much, but on the other hand, we're often not quite sure what to do with it. ??
Some of us may have spent a lot of time with it a few months ago, then given it up, and now occasionally go back and try it out, fiddle with it, trying to figure out some kind of value. Some of us may be using it all the time, for example as a programming "co-pilot". Others are looking for the killer app that will make GenAI really work for them. Could gptscript be that killer app?
From Acorn to AICorn?
One of the organisations trying to figure out how best to use GenAI is Acorn.io.
Acorn.io has recently pivoted from being a startup providing the open source Acorn runtime project (the github projects for that are now archived) to a company that is working AI, specifically a project called gptscript.
Going forward Acorn Labs will focus entirely on developing an open source LLM stack based on the GPTScript technology. We will close down the existing Acorn beta service and archive the open source Acorn runtime project. - https://www.acorn.io/resources/blog/our-new-focus-developing-an-llm-app-platform-based-on-gpt-script-technology
So what is gptscript?
gptscript
gptscript is a way to program with GenAI.
GPTScript is a new scripting language to automate your interaction with a Large Language Model (LLM), namely OpenAI. The ultimate goal is to create a natural language programming experience. The syntax of GPTScript is largely natural language, making it very easy to learn and use. - https://github.com/gptscript-ai/gptscript
A gptscript...er script looks like the below. As you can see, it's mostly natural language, with some bash interspersed.
tools: gitstatus, sys.abort
Create well formed git commit message based of off the currently staged file contents. The message should convey why something was changed and not what changed. Use the well known format that has the prefix chore, fix, etc.
Only include changed to *.go files and any change to the go.mod file. Exclude the go.sum file.
Do not use markdown format for the output.
If there are no changes abort.
---
name: gitstatus
#!/bin/sh
git diff --staged
When run, the above would generate a commit message for you by connecting to a large language model, usually something provided by the OpenAI API. As you can see, this example also executes a bash script. So gptscript can be something of an "agent" in that it can read and write to your local filesystem and perform actions such as running a bash script.
The point of gptscript is to write your own gptscripts.
领英推荐
Terraform Explainer Example
I find IaC like Terraform fascinating because it can be somewhat challenging to understand what a set of files are actually doing when run. In a lot of ways Terraform is a kind of "infrastructure compression algorithm" where it it starts out small, but what is "uncompressed" is much larger. (The scare quotes are doing a lot of work here. ??)
I have written a quick example gptscript that looks at a set of Terraform files and explains what they do.
??? Below I'm using the basic tools that come with gptscript, "sys.find" and "sys.read", and adding a few of my own, in this case called "summary" and "security".
tools: sys.find, sys.read, summary, security
List the files in the provided directory of terraform files and read each file and describe what it will do when applied do in english language. Then summarize the entire set of actions and provide any security recommendations in the last section of the report.
---
name: summary
description: Summarize a set of terraform files
args: directory: directory to summarize
tools: sys.read
Read the files in ${directory} which are a set of terraform files. Describe what the terraform will do in english language. Ignore any variables in the reporting. Don't report in point form, instead a single paragraph. Take the perspective of an experienced terraform and cloud security guru and summarize the overall goal of the terraform.
---
name: security
description: Check for security issues in terraform files
Check the provided terraform files for security issues. If there are any, provide a list of suggested security changes for common problems. If no problems are found, return a message stating that no problems were found. In particular,consider whether anything will be made publicly available, such as s3 buckets. Summarize in a single paragraph, not point form. Take the perspective of an experienced terraform and cloud security guru and summarize the overall security posture of the terraform.
If I run this as shown below, where I have also added my OpenAI API token to the environment, gptscript will use the instructions to send the files it finds to ChatGPT 4 via the OpenAI API, analyse them and return the output.
$ gptscript terraform-explainer.gpt ~/some-terraform
??? The Terraform files in this directory actually deploy a container in Kubernetes with some basic, non-default security settings.
This is the output I get from this gptscript. As you can see, it's analysed the Terraform files one by one, then summarised the whole project, and finally made some security recommendations.
OUTPUT:
### Terraform Files Summary
#### Files in the Directory:
1. **main.tf**
2. **provider.tf**
3. **variables.tf**
#### Actions When Applied:
1. **main.tf**:
- Creates a Kubernetes namespace named after the variable `deployment_name`.
- Creates a Kubernetes ConfigMap named `nginx-config` in the namespace defined by `deployment_name`. This ConfigMap contains the configuration for an NGINX server.
- Deploys a Kubernetes Deployment in the namespace defined by `deployment_name`. This deployment:
- Uses an image specified by the variable `image`.
- Runs as a non-root user (UID 101).
- Has a read-only root filesystem.
- Mounts the `nginx-config` ConfigMap as a file.
- Mounts an empty directory as a volume for NGINX to write to.
- Sets resource limits (CPU: 500m limit, 200m request; Memory: 512Mi limit, 256Mi request).
2. **provider.tf**:
- Configures the Kubernetes provider to use the Kubernetes configuration file located at `~/.kube/config`.
3. **variables.tf**:
- Declares two variables:
- `deployment_name`: The namespace to deploy to, with a default value of `pomme-secure`.
- `image`: The image to deploy, with a default value of `nginxinc/nginx-unprivileged:stable-alpine3.17-slim`.
### Summary of Entire Set of Actions:
The Terraform configuration will set up a secure deployment in Kubernetes by creating a dedicated namespace, deploying an NGINX server with a non-root user and read-only filesystem, and applying resource limits. It uses a specific unprivileged NGINX image and configures the Kubernetes provider to manage resources in the cluster.
### Security Recommendations:
1. **Review ConfigMap Data**: Ensure that the NGINX configuration in the ConfigMap does not expose any sensitive information and is configured according to best security practices.
2. **Validate Image Source**: Verify that the NGINX image used (`nginxinc/nginx-unprivileged:stable-alpine3.17-slim`) is from a trusted source and regularly update it to include security patches.
3. **Resource Limits**: The defined resource limits and requests should be reviewed to ensure they align with the expected workload and do not allow for resource exhaustion on the node.
4. **Kubernetes Configuration File**: The use of `~/.kube/config` for the Kubernetes provider configuration should be secured to prevent unauthorized access to the cluster. Consider using more secure authentication methods if possible.
The above is a fairly accurate description of what the Terraform project will do. The security recommendations aren't great, but given that the Terraform already does a fair bit of security configuration, I'm not surprised.
In this case, I'm not affecting my local environment other than reading some Terraform files (which is a key part of the usefulness of gptscript), programmatically sending them to the OpenAI API, and getting some information about those files from it. But you could go much further, including writing files and executing them.
gptscript is a fast moving project, and I expect to see a lot more coming out of it in the next few months. We need to be able to program GenAI, and I have a feeling this is going to be a good tool to do that. At the very least, we have to explore how to use GenAI other than asking some kind of chat interface for some text.?