Built-in DevSecOps & Cost Estimation Integrations to Boost your Terraform Deployments
Managing IaC-based infrastructure always brings a risk of having a significant impact on the environment. The slightest change may result in unexpected costs, security flaws, or a code that does not comply with the organization’s standards.
The most effective way to be protected from these misconfigurations is to detect them as early as possible in the development process. This is also known as the Shift Left Approach, leveraging DevSecOps CI-CD.
While using Cloudify’s Terraform Plugin, there’s no need for manual configuration or installations, etc. anymore, the terraform integrations are ready to use out-of-the-box.
Meet our four heroes of DevSecOps:
- Syntax validation like TFLint
- Static code analysis and security validation like tfsec
- Tagging validation through Terratags
- Cost estimation analysis like Infracost
Static Code Analysis – TFLint
TFLint is a framework that Cloudify uses to provide static code analysis. It’s made to enforce best practices, check naming conventions, and warn about possible errors with major Cloud providers.
Once you decide on the naming and code convention at your organization, you can define a set of rules and plugins that you want to run static code analysis and enhance pre-apply checks.
Output in logs example:
Security Validation – tfsec
Tfsec is a static analysis security scanner for Terraform code and a main pillar of DevSecOps. Cloudify’s terraform plugin can enable tfsec checks before ‘terraform apply’ happens. This will lead to adding fully documented security checks that make detection and remediation quick and efficient. tfsec can be configured to fail deployment if it does not comply with the rules, this prevents many catastrophic errors.
Output in logs example:
Automated Tags – Terratag
Terratag is an open-source tool used for tag management of resources deployed with Terraform. It could be applied across terraform and Terragrunt files for major Cloud providers. Tagging resources couldn’t be easier. Adding tagging configuration at the module level enhances all created resources with selected tags.
Output in logs example:
Cost Management – Infracost
Infracost integrates with multiple cloud providers and gives estimated monthly charges based on the resources in the terraform model. The result is saved in two formats 1. as human-readable plaintext and 2. JSON output which you can collect and process. Cost indication might be just informative or added to your approval process in ServiceNow or CI/CD.
Hands-On
Let’s get our hands dirty and play with some examples of DevSecOps usage. Try our SaaS solution or self-hosted Cloudify Manager. For this purpose, we are using a generic Cloudify Terraform blueprint. Please follow the README instructions to upload the blueprint and create it with the CLI. To continue with the UI, use the following instructions.
Before uploading, create the necessary secrets:
AWS
aws_access_key_id | AWS access key |
aws_access_secret_id | AWS secret key |
AZURE
azure_tenant_id | Azure tenant id |
azure_client_id | Azure client id |
azure_subscription_id | Azure subscription id |
azure_client_secret | Azure client secret |
In the blueprints tab click on ‘Upload blueprint’ and put this link in the URL:
Then click ‘Upload’. Once uploaded, you can click on ‘Deploy’:
And load JSON inputs from the repository for AWS or Azure. Please manually fill in the necessary fields (aws_region, aws_zone, or azure_location).
Then click ‘Deploy’. Example install workflow should have just started.
Running tfsec/ TFLint/ Terratag
Along with the deployment installation (install workflow), one of the first operations executed on the Terraform module node is an operation called ‘cloudify.interfaces.lifecycle.configure’. This operation executes all enabled tools (except infracost).
If you run an installation in the previous steps, you don’t need this step. Just look for the ‘cloudify.interfaces.lifecycle.configure’ operation in the logs to see the output.
CLI: cfy executions start install -d <deployment id>
UI:
Click on Deployment actions and choose Install.
Running Infracost
CLI: cfy executions start run_infracost -d <deployment id>
UI:
Navigate to deployment and click Execute workflow then Tf and choose ‘Run infracost’:
Next, you can leave all default parameters that are ignored unless you put your own. The workflow will automatically detect Terraform module nodes and run Infracost on all the nodes (see example).
As a result, Infracost calculation is shown in Deployment
Conclusion
Have you ever heard stories about Bob who put your production environment down or committed SSH and exposed the environment? Have you heard about Alice whose VMs pushed cloud billing to the edge?
Try not to be like Bob or Alice, use Cloudify with enhanced terraform experience. These situations occur on a daily basis, with presented checks, we can be one step ahead of the errors and prevent long-term consequences.
Cloudify & Terraform are a perfect combination when you want to take complex care of your IaC configuration with minimal effort. All these solutions come with the product with help of DevSecOps OpenSource solutions while you can focus on the infrastructure and applications.