Edit

Share via

DevSecOps for infrastructure as code (IaC)

Microsoft Sentinel
Azure Monitor
GitHub

Solution ideas

This article describes a solution idea. Your cloud architect can use this guidance to help visualize the major components for a typical implementation of this architecture. Use this article as a starting point to design a well-architected solution that aligns with your workload's specific requirements.

This solution idea illustrates the DevSecOps pipeline that uses GitHub for infrastructure as code (IaC). It also describes how to govern the workflow for operational excellence, security, and cost optimization.

Terraform is a trademark of Hashicorp. No endorsement is implied by the use of this mark.

Architecture

Diagram that shows the architecture for DevSecOps for IaC.

Download a Visio file of this architecture.

Dataflow

The following dataflow corresponds to the previous diagram:

  1. Use test-driven development to check code changes for infrastructure definitions, like IaC templates, into GitHub repositories. You develop unit tests, integration tests, and policy as code (PaC) at the same time to test the quality of the IaC.

  2. Pull requests trigger automated unit testing through GitHub Actions.

  3. Configure the GitHub Actions workflow process to test the IaC by using locally deployed infrastructure states and plans.

  4. Configure GitHub Actions to scan for code quality and security problems. Create your own custom-built GitHub CodeQL queries to analyze IaC templates and detect potential security vulnerabilities. If a vulnerability is detected, GitHub sends alerts to the organization or to repository owners and maintainers.

  5. The IaC tool provisions and modifies resources for each environment by tailoring size, instance count, and other properties. You can run automated integration tests for IaC on provisioned resources.

  6. When a manual update to the infrastructure is necessary, the designated administrator access is elevated to perform the modifications. After modification, the elevated access is removed. You should also log a GitHub Issue for reconciliation of the IaC. The reconciliation steps and approaches depend on the specific IaC tools.

  7. SecOps continuously monitors and defends against security threats and vulnerabilities. Azure Policy enforces cloud governance.

  8. When an anomaly is detected, a GitHub Issue is automatically logged so that it can be resolved.

Components

  • GitHub is a code-hosting platform for version control and collaboration. A GitHub source-control repository contains all project files and their revision history. Developers can work together to contribute, discuss, and manage code in the repository.

  • GitHub Actions provides a suite of build and release workflows that covers continuous integration, automated testing, and container deployments.

  • GitHub Advanced Security provides features to secure your IaC. It requires another license.

  • CodeQL provides security scanning tools that run on static code to detect infrastructure misconfigurations.

  • Terraform is a partner product developed by HashiCorp that allows infrastructure automation on Azure and other environments.

  • Microsoft Defender for Cloud provides unified security management and advanced threat protection across hybrid cloud workloads.

  • Microsoft Sentinel is a cloud-native security information and event management (SIEM) and security orchestration automated response (SOAR) solution. It uses advanced AI and security analytics to help you detect and respond to threats across your enterprise.

  • Azure Policy helps teams manage and prevent IT problems by using policy definitions that can enforce rules for cloud resources. For example, if your project is about to deploy a virtual machine that has an unrecognized SKU, Azure Policy alerts you to the problem and stops the deployment.

  • Azure Monitor collects and analyzes app telemetry, such as performance metrics and activity logs. When this service identifies irregular conditions, it alerts apps and personnel.

Scenario details

Conceptually, the DevSecOps for IaC is similar to DevSecOps for application code on Azure Kubernetes Service (AKS). But you need a different set of pipelines and tools to manage and automate continuous integration and continuous delivery for IaC.

When you adopt IaC, it's important to create automation tests as you develop the code. These tests reduce the complexity of testing IaC when your workload scales. You can use local infrastructure configuration states like Terraform states and plans for test-driven development. These configuration states emulate the actual deployments. You can run integration tests for IaC on actual infrastructure deployments by using the Azure Resource Graph REST API.

PaC is another important method to deliver infrastructure that complies with regulations and corporate governance. You can add PaC workflows into your pipelines to automate cloud governance.

Securing infrastructure early in the development stage reduces the risks of misconfigured infrastructure that exposes points for attack after deployment. You can integrate static code analysis tools like Synk or Aqua Security tfsec by using GitHub's CodeQL to scan for security vulnerabilities in infrastructure code. This process is similar to static application security testing.

When the infrastructure is deployed and operational, cloud configuration drifts can be difficult to resolve, especially in production environments.

Set up dedicated service principals to deploy or modify cloud infrastructure for production environments. Then remove all other access that allows manual configuration of the environment. If you need manual configurations, elevate access for the designated administrator, and then remove elevated access after the change is made. You should configure Azure Monitor to raise a GitHub Issue so that developers can reconcile the changes. Avoid manual configuration if possible.

It's important to continuously monitor the cloud environment for threats and vulnerabilities to help prevent security incidents. You can use threat protection and SIEM tools to detect abnormal traffic. These tools automatically alert security administrators and raise a GitHub Issue.

Potential use cases

You're part of a central team of IaC developers that uses a multicloud strategy for the fictional company Contoso. You want to deploy cloud infrastructure into a new Azure landing zone by using DevSecOps for IaC to help ensure the security and quality of deployments. You also want to track and audit all modifications to the infrastructure.

Contributors

Microsoft maintains this article. The following contributors wrote this article.

Principal authors:

To see nonpublic LinkedIn profiles, sign in to LinkedIn.

Next steps