DevSecOps Workshop in Azure > Class1 - Learn DevSecOps in Azure with Terraform and GitHub > Module 3 - DevSecOps Workflow Source |
Lab 1 - Connect to Terraform Cloud¶
Terraform Cloud will be our CI. TF Cloud will check any change/commit done in GitHub and will execute the Terraform plan.
Create a new NAP image for this lab¶
In the previous lab, we created a NAP image. This image boots and run a dedicated script : entrypoint.sh
If you remember well, we change this script to point to your DEV branch. So that NAP PULL all the config files from your source of truth (your Github Dev Branch)
In this lab, we use a new branch tf_cloud
, so that you can keep both branches in your Github (for demo purpose). It means, we need to create another NAP image with a new image tag.
In
/nginx-nap
directory, copy yournginx-repo.crt
andnginx-repo.key
Modifty the
entrypoint.sh
script so it points to your GitHub repogit clone --branch tf_cloud https://github.com/<YOUR_REPO>/devsecops-nap.git /tmp/devsecops/ ......
Note
This script is run at every boot. If you look at deeper in the script, you can see the script clones your GitHub repo (tf_cloud branch) in the nginx directory. It means the Nginx will run with the config files coming from the GitHub repo -> GitHub is our
source of truth
Build your docker image with a new tag
tf_cloud
DOCKER_BUILDKIT=1 docker build --no-cache --secret id=nginx-crt,src=nginx-repo.crt --secret id=nginx-key,src=nginx-repo.key -t <your_registry>.azurecr.io/nginx/nap:tf_cloud .
Push your NAP image into your private registry. If requested, re-authenticate (module 1)
docker push <your_registry>.azurecr.io/nginx/nap:tf_cloud
Prepare your Teraform Cloud account¶
Connect to https://app.terraform.io/ and create a free account
When connected
Create a Organisation (what you want)
Create a Workspace
Type
Version Control Workflow
Connect to VCS - select
GitHub
, authenticate and authorize Github to Read your Github repos (select allow all or just the devsecops-nap repo)Choose your
devsecops-nap
repo and click nextIn the next screen, open
advanced options
Set
Terraform Working Directory
to/terraform
. This is where the plan.rf is locatedSet
Automatic Run Trigerring
toAlways
Set the VCS branch to
tf_cloud
. We will use a dedicated branch for this module in order to keep 2 ways to do your demo/test (manual with Dev and CI with tf_cloud)Click
create workspace
Configure your workspace¶
- Click on
Settings > General
- In
Apply Method
, change toAuto-Apply
so TF Cloud auto apply the Terraform plan - Click
Save
Set Terraform variables¶
TF does not have any clue on your AKS credentials. In the previous module, Terraform (on your laptop), uses your kubeconfig file. We can’t use the kubeconfig file in TF Cloud, but we can use its content.
A kubeconfig file contains 3 certs/keys
- cluster CA certificate
- client certificate
- client key
In Module 1, when we created the AKS with Terraform, we did a Terraform Export. We exported several values
Retrieve your
client cert
,client key
andcluster CA cert
. If you haven’t stored them, here are the commands.Move to the
Variable
menuCreate these 3 variables of type
Terraform variable
key
cluster_ca_certificate
and paste your cluster CA certificate base64 encoded value in thevalue
field. Check the boxSensitive
key
client_certificate
and paste your client certificate base64 encoded value in thevalue
field. Check the boxSensitive
key
client_key
and paste your client key base64 encoded value in thevalue
field. Check the boxSensitive
Note
The terraform plan, in tf_cloud branch, has been modified to use these 3 variables instead of your kubeconfig file.
variable "client_certificate" {
type = string
}
variable "client_key" {
type = string
}
variable "cluster_ca_certificate" {
type = string
}
provider "kubernetes" {
host = "https://aks-matt-eu-dns-8dc14823.hcp.northeurope.azmk8s.io:443"
client_certificate = base64decode(var.client_certificate)
client_key = base64decode(var.client_key)
cluster_ca_certificate = base64decode(var.cluster_ca_certificate)
}
- Modify this plan
- line 12 - with your AKS server URL. You can find this URL in your kubeconfig file.
- line 49 - with your NAP docker image created earlier (tf_cloud tag)
- Commit and push the change to your GitHub
Check your first pipeline execution¶
At this moment, a first Run
should start, as you committed your branch.
- Go to
Runs
menu and look at the result. - Result must be
Applied
- Note the new Nginx Azure LB IP address and change your host file accordingly. FYI, when we destroyed our Module2 lab, we destroyed as well the Nginx Azure LB.