I work at an organization that has a majority of its services and resources in the Cloud. We use code to manage our cloud infrastructure using Azure DevOps. This article explains how to set up static code analysis for infrastructure as code using Azure DevOps pipelines and Prisma cloud. Static (non-running) code analysis is performed as part of the security development lifecycle, where tools are used to find vulnerabilities such as buffer overflow, SQL injection within application code. What is Infrastructure as Code It is the process of managing infrastructure resources using code. The prominent tools in this field are used for deploying resources. Additionally, tools such as are used for configuration. These tools effectively maintain consistency across multiple deployments and serve as documentation of existing environments. Terraform, Azure Resource Manager templates, Cloud formation templates, and Azure BICEP Ansible, Chef, and Puppet However, this process could introduce vulnerabilities into the infrastructure environment, such as publicly exposed Virtual machines or storage containers. Requirements Azure DevOps / Github. Prisma Cloud Subscription: Prisma Cloud is a product from PaloAlto Networks that offers security protection of cloud-based environments from deployment to real-time monitoring of resources using policies and anomaly detection rules. Prisma Cloud also provides pipeline tasks for Azure DevOps, GitHub, and other CI/CD tools, which can be used to scan infrastructure code for misconfigurations. Design Details Every PR with Terraform code has to pass the validation process in this flow by successfully generating a terraform plan with intended changes. Then, we feed this plan output into the Prisma IAC task to be scanned for vulnerabilities. Post which the PR is peer-reviewed and approved to merge into deployment branch. If the job fails, the PR is blocked from being merged unless open issues are resolved. Implementation Details Setup Service Connection in Azure DevOps: Generate an access key and secret key from Prisma Administrative console. Register the key in Azure DevOps as shown below Pipeline Setup There are two approaches that we can take to use Prisma Cloud Extension for Azure DevOps. However, irrespective of the approach, the controls, and policies applied are the same. Using the pipeline task to scan the entire folder of terraforming code that contains resource definitions for an environment. This approach works best for small deployments where all of the code is hosted within one folder. Using the pipeline task to scan the terraform plan output. This approach works best for complex and extensive Terraform definitions that use multi-module calls from various sources for deploying an environment. Here is the pipeline definition based on the 2nd approach: YAML Now that we have a pipeline definition setup, you can now integrate these tasks into your existing terraform validation and deployment pipelines. Pipeline execution Below is an example of pipeline execution with Prisma Warning that we have one medium issue. Constraints Prisma cloud IAC Scan only supports terraform. However, if you are using platform native tools such as ARM templates or Azure BICEP, you will be able to use services such as Azure Policy to validate your deployment. Azure Policy is a powerful service that can help catch security issues and ensure that the infrastructure definition is right-sized and meets the desired configuration. When Azure Resource Manager templates or Azure BICEP code violates a defined policy, the deployment will fail at the validation state. Since we use the validation as a gating process for all Pull Requests with Infrastructure code, this violation blocks the merge of “faulty code” into our deployment branch. References Static Code Analysis owasp.org Author: Ryan Dewhurst Contributor(s): KirstenS, Nick Bloor, Sarah Baso, James Bowie, Ram ch, EvgeniyRyzhkov, Iberiam… Azure DevOps YML Terraform Pipeline and Pre-Merge Pull Request Validation Secure Your Infrastructure Automation Control deployments by using gates - Azure Pipelines

Flow

2022 - HackerNoon Contributor of the Year - Architecture

2022 - HackerNoon Contributor of the Year - Azure

2022 - HackerNoon Contributor of the Year - Github

Nominated for 2022 - HackerNoon Contributor of the Year - Github

Nominated for 2022 - HackerNoon Contributor of the Year - Azure

Nominated for 2022 - HackerNoon Contributor of the Year - Architecture

Too Long; Didn't Read

Cassandra Forward a free Cassandra-focused community event

Static Code Analysis for Infrastructure as Code Using Azure DevOps Pipelines

Too Long; Didn't Read

Coin Mentioned

@asgr

RELATED STORIES