Scribd
Upload
7 views

10 - IaC and GitOps for DevSecOps

Uploaded by

Intelligence Ezemonye
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
7 views

10 - IaC and GitOps for DevSecOps

Uploaded by

Intelligence Ezemonye
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

IaC and GitOps for

by TWN
DevSecOps
No part of this publication may be reproduced, copied, transmitted in any
form or by any means, electronic, mechanical, photocopying, recording or
otherwise, without the prior written permission of nnSoftware GmbH

Copyright 2023 nnSoftware GmbH. All rights reserved.


TechWorld with Nana is an established name in the DevOps and
Cloud industry, and it stands for the quality trainings helping 1,000s
of engineers acquire the most in-demand skills in this field.

Our mission is enable individual engineers as well as companies to take advantage of the
recent developments in Cloud and DevOps fields, to use technologies and concepts in
order to create efficient, automated, streamlined DevSecOps processes in organisations.

Copyright 2023 nnSoftware GmbH. All rights reserved.


Infrastructure as Code
for Security
IaC for security
Without IaC

Slow manual configuration

Prone to human errors

Inflexible, hard to replicate


across environments

Dependent on well written and


up-to-date documentation

Copyright 2023 nnSoftware GmbH. All rights reserved.


IaC for security
Some Benefits of IaC

Efficient

Consistency and Reproducibility

Security Benefits

Increased transparency, because


code itself is documentation

We can use tools to validate the code for


security misconfigurations

Code can be reviewed, tested and


shared easily

Copyright 2023 nnSoftware GmbH. All rights reserved.


Infrastructure created by IaC

Copyright 2023 nnSoftware GmbH. All rights reserved.


GitOps - DevOps for IaC
GitOps - DevOps for IaC
What is GitOps?

Takes best practices of application development, such as version


control, collaboration and CI/CD and applies them to infrastructure

Key Concepts and Principles of GitOps

Infrastructure as Code
Git as the single source of truth
Collaboration
Automation: CI/CD pipeline to automate process of syncing the actual state of the system with
the desired state defined in the Git repository

Copyright 2023 nnSoftware GmbH. All rights reserved.


GitOps - DevOps for IaC
Version Control with Git

Git naturally becomes part of IaC


IaC code can be versioned, just like application code
Enables you to track changes, roll back to previous
configurations if needed

Use Git repository features like code reviews, merge


requests etc.
Work on infra configurations simultaneously

Copyright 2023 nnSoftware GmbH. All rights reserved.


GitOps - DevOps for IaC
CI/CD for IaC

Automate testing and deployment of infrastructure changes


Multi-stage deployments

Git becomes the single source of truth

Having CI/CD configured, every infrastructure change will be applied


automatically to the infrastructure
This means just by looking at Git repository code, we know the
current infrastructure state
DevOps for App code & Infra code

Copyright 2023 nnSoftware GmbH. All rights reserved.


Terraform state
What is TF State?

TF must store state about your managed infrastructure and configuration


This state is used by TF to map real world resources to the configuration

Best Practice - Configure remote state

Central storage for infrastructure state


Remote store, like S3 bucket, instead of local state on local
local filesystem

Copyright 2023 nnSoftware GmbH. All rights reserved.


Automated Terraform security scan

Turn CI/CD pipeline into DevSecOps pipeline,


scanning our IaC for security misconfiguration

“terraform validate” command

Check script for syntax validity, general


correctness of attributes, variables,
modules

Using tfsec

Open source security scanner for


Terraform code
Scans TF code for security vulnerabilities
in infra configuration (static analysis)
Wrap Up

Copyright 2023 nnSoftware GmbH. All rights reserved.


Treat servers as interchangeable resources that can Each server is carefully configured
be created, destroyed and replaced on demand and monitored with individualized
settings and configurations
This approach is necessary, when
we are working with IaC - Doesn’t allow for dynamic,
recreating infrastructures from interchangeable environments
scratch with a clean state

Copyright 2023 nnSoftware GmbH. All rights reserved.

You might also like