Automated Infrastructure as Code and Security as Code: Linking Terraform Cloud, Azure DevOps, Azure Virtual Machines, and Trend Micro Cloud One

Ok, ok, ok! It's the start of the weekend! So, these experiments were a lot of fun! I'd like to share them with you to kickstart your weekend! This evening I was integrating Terraform Cloud, Azure DevOps Repos, Azure Virtual Machines configurations, and drumroll......Trend Micro Cloud One! That is a lot of integrations of multiple cloud solutions! So, let me explain some backstory and start things off where this may be of great value to you!

Are you currently managing Terraform state files maybe in a shared resource / remote state like an Azure Blob utilizing the local Terraform CLI? How about storing your Terraform connection info to your Azure subscription, configuration, and state files all locally on your development machine?

You may be then pulling down your Terraform files from Azure DevOps repos to run and execute those plans and apply locally using the CLI. Well, I was doing both from time to time! I think a lot of people do! That does tie down your dev machine though! Wouldn't you like to free that machine up to do something cool like SETI@home instead of watching Terraform plans run locally. I do!

So, I stumbled upon Terraform Cloud where I can do all of that in the cloud! Remote state, remote plan, remote apply, remote connections to my Azure DevOps Source Repo for the source of truth (GitOps), and remote connection to my Azure Subscription are all now at my disposal!

Bwahahhahahaha! Ok, sorry, Halloween is over! Got carried away there!

As an added bonus, I decided to integrate and automate security as code as well with Trend Micro Cloud One Workload Security. These are all using hosted cloud services! Terraform Cloud, Azure DevOps, Azure Subscription(s), and Trend Micro Cloud One! Wow!

To start, I signed up for an account with Terraform Cloud and created a new Terraform Workspace. This is shown below.

Next, I connected to my Azure DevOps Repo. This is also shown below. This allows communication between my Terraform source code configuration files stored up in the Azure DevOps Repo and Terraform Cloud service. How exciting!

Here is my Terraform Cloud app registration in Azure Active Directory. I also created an associated service principal and secret here that can be used by Terraform Cloud for authentication. This part is used when the corresponding infrastructure plan and apply stages are executed in my Terraform Cloud run job. Terraform Cloud can then directly communicate with my Azure Subscription to produce the infrastructure changes. The connection information is stored as environment variables in my Terraform Cloud workspace. How awesome is that!

Ok, cool so now lets build something! Right?? In my Terraform repo in Azure DevOps, I have a test Linux Virtual Machine creation template to use. This is shown in Visual Studio Code below. You can see where I am specifying the details for the OS image selection as an example.

Once I commit and push this to the Azure DevOps Repo, wonderful things start to happen in the merry old land of automation. This is all because of the connection between Terraform Cloud and Azure DevOps. It kicks off a Terraform run job automagically. The subsequent stages are my plan and apply commands. Also, my remote state is tracked in Terraform Cloud. To illustrate this look out below!

Here is my run status job screen in my Terraform Cloud workspace that was automatically kicked off and the corresponding repo listed once I committed and pushed from Visual Studio Code.

If I drill down further, I can see my commits and the raw output of my Terraform plan job in real-time, or download for later use.

I also can see the raw results of my Terraform apply job. No more watching this on my local machine!! Huzzah!!

Looky here folks! I can even see my Terraform state history tracked as well!

Ok, lets go ahead and do a "scale up" test in our newly created Azure Infrastructure Virtual Machine, and see all this in an automated fashion in our Terraform versioned infrastructure.

You can see where the current Virtual Machine size is a B2s. Let's scale that dude up in the code and commit that with one line of code to adjust our infrastructure accordingly! Just that one line in the code should double our RAM in the machine automatically by switching sizes/families.

Let's commit that to Azure DevOps and see what happens automagically! I am holding my breath as I click the commit button!

Ok cool! We can see the job kickstarting off automatically from the source code push into Azure DevOps Repos and auto-executing a new Terraform Plan. Instant upgrade please! Thank you!

Now, in turn we see the Terraform Apply being executed. We can monitor and download the tracked change logs which is even more cool!

There we have it! Look at the Azure Portal! My instant upgrade/resize is completed! I just doubled my RAM programmatically from source in less than 4 minutes!

Ok, last but not very least, we cannot forget about security! Let's go ahead and install programmatically in Terraform our Trend Micro Cloud One Workload Security Agent!

I'll start by logging into my Trend Micro Cloud One subscription shown below.

I go right into Workload Security where I have my Azure Cloud Connector already established to my subscription. Here I can see my subscription, resource groups, and my Terraform created machine. Hello there, buddy! Notice, it is not managed and no security policy is currently assigned. Well, we have to do something about that!

Alrighty, lets generate a deployment script from the Cloud One Workload Security console that we can use and apply my Linux Best Practice security policy. I can do this handily dandily in the console.

I can go ahead and download this script. The really cool thing is when this script is run it will register this machine to the Trend Micro Cloud One Workload Security console, and apply that Best Practices security policy for Linux. This will also automatically install the proper agent for the build/distro of Linux that I am using! Excellent!

Ok, here we go! Ready? So, lets put that script into action and commit a shell script file in my Azure DevOps Repo.

You will need to call the deployment script in my Terraform configuration file here by using the custom script extension resource. Illustrated below. This infrastructure change will invoke the shell script.

Let's commit and push these changes and see what happens automagicially! Shall we? Again, breath holding sequence commencing!

Wow! Here we can see that the Terraform configuration plan has been updated successfully and now Terraform Cloud is automatically running the apply. This is updating the existing running Virtual Machine in real-time! Infrastructure as Code and Security as Code in action! It is creating the Trend Micro custom script extension and running and executing my deployment script.

We can see that script executing in the Azure Portal as well.

Here we see that the run completed successfully in Terraform Cloud.

We can also view the output of the custom script extension and Trend Micro Cloud One Workload Agent install log in the Azure Portal.

Let's check out the Trend Micro Cloud One Workload Security console with the handy Azure Cloud Connector, and see if the Virtual Machine has been updated and is now securely protected by Trend Micro.

Cowabunga! Look at that! Our Azure Virtual Machine is showing Managed and Online! It also has our Linux Best Practice security policy automatically applied! This was all done with a few lines of code to update and secure our infrastructure programmatically!

As always when we are done with testing we want to tear down what we built, right? You can easily run a Terraform destroy right in Terraform Cloud as well. There we go! Mission Complete! WooT!

So, that's it my friends! We have seen Infrastructure as Code and Security as Code both in action and bringing it all together with Terraform Cloud, AzureDevOps, Azure Virtual Machines, and Trend Micro Cloud One! All hosted cloud solutions to integrate together! I hope you all have a great weekend and enjoyed looking and learning with these experiments as I enjoyed making them. Stay safe and until next time!

References:

https://www.terraform.io/docs/cloud/index.html

https://azure.microsoft.com/en-us/services/devops/

https://cloudone.trendmicro.com/

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_extension

https://docs.microsoft.com/en-us/azure/developer/terraform/

https://setiathome.berkeley.edu/