Azure DevOps Pipeline DevSecOps with Terraform and Tfsec

Azure DevOps is the platform that operates on Microsoft Cloud providing CI/CD capabilities to developers in one area, for this post I’m going to show how to run a release pipeline with TFSec to run IaC Scanning on potential misconfigurations that can arise when writing IaC.

If you want to follow along a few pre-requisites

  1. Azure Subscription, if you don’t have one sign up for one https://azure.microsoft.com/en-us/
  2. Azure DevOps Project this essentially is your project where your repo will sit inside looks like the image below

3. A service principal that will be written into the tf.vars file (this won’t be exposed) we will explore that.

4. Some familiarity with Terraform

So let’s look at what is needed to happen in the portal

As you can see a few options here, we’re mostly going to cover the tutorial but feel free to explore the tabs on the navigation, think of this as a centralized portal of your project that your team will work on the code that you’re developing the wiki is helpful to quickly identify any information pertaining to the project this is obviously bare bones since its just a demo.

We’re going to navigate to Pipelines > Releases this is shown as a rocket icon as you can see the options you have.

We will select “New Pipeline” this also assumes you have a “artifact” meaning a repository/code that it will use to operate the release, this will become more clear in the next steps.

So for this template we will select Empty Job I’m going to name this Terraform.

You want to click the hyperlink that will open the next page of tasks that we will use to define our pipeline.

For the tasks you can type in “terraform” and I’m going to select Terraform Installer to ensure we have this installed on the agent “machine” that will run our code. Select add to put this in our tasks, and we will use the same author Charles Zipp tasks he has to run our pipeline.

I’ve pulled the .zip file from terraform.io officially to ensure when it does search for the download url it’s from the source and we’re running the latest.

Next we will run the + sign again to add another task and add Terraform CLI

We will repeat these three times and add task and search for tfsec you’re pipeline task will look like this.

We also have to add our artifact to the pipeline so for this example, I’ve uploaded my configuration into Azure Repos via Git

Showing how it maps in the configuration.

Now navigate to portal.azure.com and open a cloud shell session or if you have Azure CLI locally you can run this on your terminal

az ad sp create-for-rbac

The output of this is sensitive don’t share this with anyone, this will be added to the variables page as a secret.

You’ll select the “Variables” section to add this and how we will pass it in will be next.

You’ll want to add these to this section and select the lock icon to the right to hide these values as secrets.

Passing these into the task navigate back to the “Tasks” select terraform plan task and the drop down on the blade to the right will have a Variables option to expand as shown below.

In the Terraform Plan task you’ll also upload your terraform.tfvars

This will house your appId/password as shown below with x as the value.

Remember these are sensitive values so don’t share these.

Once we are all configured with our values we will select Create Release

You’ll see the initialization of this as follows.

If you read the logs it directs to you to a link that will show the run results and why this failed was due to misconfiguration.

If you can see this is also noted when you select Test Results

How does this related back to DevSecOps?

Code scanning provides a guard rail for your developers/security team to identify and pinpoint the issue of the phase of the pipeline with coverage of the pipeline task this is just a small example of using a open-source tool such as TFSec in DevOps the best part is that this tool is universal so we can also explore how this will look in GCP/AWS.

A few notes on this tutorial

In a DevOps platform you’ll have a lot of tools to choose from but be aware of the strength and conduct thorough diligence on the tools to meet your requirements.

The same person who writes the code should not be the one able to push code into production this should have another reviewer that goes through the pipeline and tests to review the code to then go back to the developer for remediation of the findings and hardening the configuration depending on the findings.

Like anything you’ll only get better at all these tools and concepts exploring multiple repos but also writing terraform will bring to life the art of building infrastructure defined by code.