DevSecOps for Infrastructure as Code (IaC)
How do we manage thousands of cloud resources with consistency while ensuring security compliance from the start?
Infrastucture as Code (IaC) is a key component of enabling best practices in cloud adoption and DevSecOps. Working with IaC was a challenge during the transition. How do we find the correct repository structure, how to automate it, is not so simple.
Let’s start from the definition :
Infrastructure as Code (IaC) is the process of managing and provisioning computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.” Wikipedia
In short, it’s a practice of representing infrastructure in code format. It can be JSON, YAML, HCL or other programming languages.
In such, IaC ensures that we will provide exactly the same environment every time on any provider for any users. IaC has three main tasks : infrastructure provisioning, infrastructure configuration and deployment of the application. We can conduct all these tasks in the code, from deploying a resource all the way to eventually destroying it in “one click”.
Speaking of tools, there are some common IaC tools that users usually use : Terraform, AWS Cloudformation, Ansible, Puppet, etc. The functionalities, ease of provisioning as well as configuration consistency are answers to why we need IaC.
However, complexities will arise.
1. How do we audit changes of IaC, and revert changes if needed?
As a part of Telkomsel transformation journey, we try to create a proper way to mantain our resources that deployed on the cloud. Typically, IaC can be deployed from local machines. But, when it comes to day-to-day operation, it has proven to be a burden for us to maintain versioning and to track changes.
Code versioning or source control are the right tools to help us simplify audit and rollback activities. This will also avoid code mismatches between IaC developers and maintain code consistency.
2. How pursue changes and culture to avoid direct changes
One lesson we learned during our transformation from legacy to cloud technology is operation readiness. This is critical for sustainability of the new architecture that has been migrated to the cloud. Not all infrastructure team members are familiar with IaC, regardless the language. Even if a person understands IaC, the structure of IaC itself has the potential of causing confusion when the code initiator is a different person.
So, finalizing the module, structure, baseline is something that needs to be done in the first place. Because it will be difficult when the code has been created and requires us to restructure and standardize.
Next use case is when an issue arises in production which ultimately requires quick action from infrastructure operations. Instead of trial and error in IaC, of course the shortcut is direct changes in the management console. The impact is that there will be a drift in the next infrastructure deployment. It would be forgivable, if the developer immediately updated the IaC so that it syncs with the “real world”, but there is potential case for the operations team forget to update IaC in a way that the other operations team will need more time to eliminate the drift first before making changes in IaC.
This will become a snowball effect when there are no rules of the game, or enforcement to the team to always update the code if there is drift. We also can use tools for drift detection, such as SNYK, Terradrift, Brainboard , or if you want simple way use Terraform Enterprise/Cloud.
3. How do we maintain security in IaC?
When all the conditions above are met (using version control and IaC pipeline) we also need to enhance our pipeline with shift left security. So, it’s not just the basic stage, but also security scans and testing that we need to embed, even before deployment to the target environment.
On the pipeline side we can use Trivy, Terratest or Terraform Test. This way, we will be able to identify vulnerabilities of the IaC infrastructure being deployed, also to carry out unit tests and do remediation before deployment to avoid security breaches.
From the IaC standpoint, standardization is also important. We must have a private module that already complies with security best practices, or we can enforce policy by utilizing Sentinel Policy in Terraform Enterprise/Cloud.
