Programmatically Deploy AKS and Trend Micro Deep Security Smart Check with Terraform Cloud and Azure DevOps

Helloooo Everybody! Turkey Day is around the corner! Hope you are all having a good week so far! So, I was trying some new experiments to deploy an AKS cluster automatically and pair it nicely with some container image security with Trend Micro Deep Security Smart Check. This was all done using Infrastructure as Code housed in Azure Devops Repos and utilizing Terraform Cloud as my trustworthy provisioner.

The first thing I did was hookup my Terraform Cloud account to my Azure Devops Repo. This is shown below. This repo contains the Terraform deployment code which will provision an Azure AKS cluster, and as an added bonus provision Trend Micro Deep Security Smartcheck capabilities via a Kubernetes Helm chart automatically. The Terraform Cloud Account has my secure integration with Azure DevOps, Terraform Infrastructure state files, and all my Terraform deployments in one place! Well, Golly Bob Howdy! Let's get going!

Here you can see below where I am using the "helm_release" resource section in Terraform to pull in and deploy my Trend Micro container image scanner for my AKS cluster. This is pulling in the Trend Micro Deep Security SmartCheck solution right from GitHub! Dude, you're getting container security!

This pairs quite nicely right along with the AKS cluster creation resource in Terraform shown below

Pro tip! You are going to need to use the helm resource provider in Terraform. You will get these attributes referenced after the Kubernetes cluster is built using the AzureRM Terraform resource provider. The helm provider will use these attributes to connect to the newly created cluster to deploy the helm chart as a release. Release and unleash the container security!

Now let's Git it done! What I mean is let's Git a commit going on here! As Ricky Bobby says, "I wanna go fast!"

Ok, now that the push has taken place to my Azure DevOps Repo, Terraform is listening in on that and going to commit a new plan and automatically trigger a subsequent apply.

Let's zoom on over to Terraform Cloud to watch and learn!

The first thing I noticed is my workspace was automatically triggered with a new Terraform Plan event in my run status!

I can see where my commit is displayed as well right out of Azure DevOps. Integration is oh so sweet!

Here are my Terraform plan and apply steps in detail and realtime. Let the cluster creation commence! I no longer have to tie up my local machine running Terraform. This is most excellent!

Clusterization is complete! Helm deployment Go! You can see above that my Trend Micro helm deployment is now complete in a matter of minutes!

Git it Done deployment is now applied and complete! That is a good feeling when everything works as intended!

Let us now spring forth and check out Azure and see our freshly hatched resources!

Check it out! We can see our newly deployed AKS cluster and we see our namespace for our container image scanner deployed and active! Lets check out the services and ingresses section to see our service ip address.

Now, I can visit the Trend Micro Deep Security Smart Check scanner by the public IP address.

I am going to go ahead and enter my initial creds from my Terraform template variables which should prompt me to change upon first login.

The next thing I will do is add the test Container Registry in Azure for scanning.

Here are the scan results of my test Azure Container Registry.

Well, let's tear this thing down! That's easy! I can run a Terraform Destroy right from Terraform Cloud!

Well, that's it! I hope you enjoyed today's flight! Seriously, it was a lot of fun experimenting with these solutions, integrating, and trying out some new things. Have a great week! See you next time and stay safe!

References:

https://www.terraform.io/docs/cloud/index.html

https://github.com/deep-security/smartcheck-helm

https://docs.microsoft.com/en-us/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks