Managing Github via Terrafom.pdf

MANAGING GITHUB VIA TERRAFOM TO
BE COMPLIANT WITH ISO27001
Remove the UI from your On- / Offboarding GitHub Workflow

MICHA(EL) RAECK
PRODUCT OWNER DEVSECOPS
Developing a platform as a Product tailored for all
engineering colleagues.
Utilizing Kubernetes to manage cloud-native services
within Hyperscalers (AWS mostly).
Offering consultancy services for customer projects.
Coordination of contractors.
• 37 y/o
• From Leipzig (working Hybrid)
• Owned an Full Service Media Agency for
10 years
• Owned a Bar and a Restaurant
• Was a Lead Developer and Head of
Infrastrcuture at 1337 UGC
What we do as a Team? Who am I ?

4
1. PROBLEM
800Repos within 12Organizations
Different Teams / Teams in Teams /
External Users / External Users in Internal Repos ?!

5
1. PROBLEM
1.Complexity in Management:
§ Managing a variety of GitHub repositories.
§ Managing a variety of GitHub Organizations.
2.User and Access Management:
• Coordinating multiple users, groups, and teams.
• Implementing consistent permissions and branch protection rules.
3.Collaboration with External Parties:
• Providing guest access to partners and customers.
• Ensuring controlled permissions for external users to
pull or push to repositories.

6
1. PROBLEM
ISO27001:2013 requires:
Access Control: Ensuring strict access control in line with ISO 27001
to prevent unauthorized information disclosure or modification.
Audit Trails: Implementing comprehensive audit trails for changes and
access to repositories and its User Management to meet ISO 27001's monitoring
and logging standards.
Information Security Policies: Developing and enforcing information
security policies that comply with the ISO 27001 framework across all
GitHub repositories and teams.
4-Eyes Principle:

7
1. PROBLEM
ACCESS CONTROL
ONBOARDING /
OFFBOARDING
What GitHub offers:

8
1. PROBLEM
GITHUB AUDIT LOG
What GitHub offers:

9
1. PROBLEM
Does The GitHub Stuff helps in Order
To be compliant to ISO?

10
1. PROBLEM
Nah,
Not really.

11
1. PROBLEM
Nah,
Not really.
And the UI is annoying

13
THE NOT SO BORING PART
2
Utilizing Terraform for Managing GitHub

14
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
registry.terraform.io/providers/integrations/github/latest/docs
• Uses the GitHub API

15
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
• In Order to have proper rights, and Access Control you should set up an
Organization:
• https://github.com/orgs/terraform-github-test-orga

16
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
Assumptions:
• Terraform is up and running
• You store your state in some Sort of Backend
• S3 dynamo DB
• Terraform Cloud ?
• GH Access Personal Access token is stored in an ENV Variable

17
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
• Wanna try some code?

18
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
DEFINE A REPO
provider "github" {
owner = "terraform-github-test-orga"
}
# Repo
resource "github_repository" "example-repo" {
name = "terraform-github-test-repo-devops-meetup-2023"
description = "A Repo for the Terraform GitHub Provider Example"
visibility = "public"
}

19
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
SETUP A PULL
TEAM
# Creating a Team with Pull Rights
resource "github_team" "pull_team" {
name = "Pull Team"
description = "A team to READ on Terraform-managed repositories"
}
# Giving the Team correct Permissions
resource "github_team_repository" "team_repo_pull" {
team_id = github_team.pull_team.id
repository = github_repository.example-repo.name
permission = "pull"
}
# Assigning a Member to the Team
resource "github_team_membership" "team_membership_pull" {
team_id = github_team.pull_team.id
username = “exampleUserOnGitHub"
role = "member"
}

20
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
PLANING
CREATE AN PR
FOR IT
➜ ✗ terrafrom plan

21
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
PLANING
CREATE AN PR
FOR IT
terraform will perform the following actions:
# github_team.pull_team will be created
+ resource "github_team" "pull_team" {
+ create_default_maintainer = false
+ description = "A team to READ on Terraform-managed repositories"
…
}
# github_team_membership.team_membership_pull will be created
+ resource "github_team_membership" "team_membership_pull" {
+ etag = (known after apply)
+ id = (known after apply)
+ role = "member"
+ team_id = (known after apply)
+ username = "mixxor"
}
# github_team_repository.team_repo_pull will be created
+ resource "github_team_repository" "team_repo_pull" {
+ etag = (known after apply)
+ id = (known after apply)
+ permission = "pull"
+ repository = "terraform-github-test-repo-devops-meetup-2023"
+ team_id = (known after apply)
}
Plan: 3 to add, 0 to change, 0 to destroy.

22
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
PLANING
CREATE AN PR
FOR IT
➜ ✗ git commit –m „chore(YOUR-JIRA-TICKET): Add Max Mustermann“

23
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER

24
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
• Let someone else grant this request.
• 4 eyes Principle in place.
➜ ✗ terrafrom apply
...

25
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
Nicely done, now we have a way to create
Repos and Teams
for all repos we manage / create
with terraform!

26
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
Wait ?
Only Repos which
are managed via Terraform?

27
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
Yes!
You need to import them!

28
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
APPLYING
# main.tf
# define first your existing repo here
resource "github_repository" "_devops_meetup" {
name = "_devops_meetup"
description = "let the Teams care about the Repo"
visibility = "private“
#sh
➜ ✗ terraform import github_repository._devops_meetup _devops_meetup
➜ ✗ terraform plan
➜ ✗ terraform apply

29
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
What can we do now ?
• Create / Manage Repos
• Create / Manage Teams
• Create / Manage Users
All this in a declerative Way.

30
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
This is ISO Compliant, as it will follow the Guidelines:
Access Control:
WE define who has Access to our Repo which manages the GH Orgas
Audit Trails:
WE will use the GH built-in Stuff for Changes, but use our GH Repo for all other Stuff
Information Security Policies:
Process is comprehensible and you can explain and show it to an Auditor
NO UI ClickOps.
4-Eyes Principle:
In Place via PR.

31
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
That‘s all?

32
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
That‘s all?
Wait, there is more.

33
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
The state of your Repo is save, right?

34
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
Somewhere at Terraform Cloud or AWS ?

35
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
Somewhere at Terraform Cloud or AWS !
Sure, but your doing State changes locally
after the approval of the PR ?

36
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER

37
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER

38
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
Enhancing Terraform Infrastructure Management with Atlantis
• Integrate terraform plan / apply output into Pull Requests
• informed decision-making during reviews
• Works with all sorts of Providers
• AWS
• GCP
• GitHub
• GitLab
• BitBucket
• …

39
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
How does Atlantis work ?

40
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
Error!!!

41
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
Error!!!

42
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
It works!!!1111einseins
Automatic Planing

43
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
It works!!!1111einseins
Automatic Planing

44
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
Get your PR approved !
• Atlantis also Supports Slack Notifications
Now, APPLY!
And Merge.

45
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
Your done J
• You can improve this workflow even more
• Atlantis represents a significant improvement in establishing reliable
audit control and governance over Infrastructure as Code (IaC).
• This process supports your ISO Certification and
helps to convince auditors of the robust measures you have taken.

46
3. QUESTIONS
Any Questions ?

Managing Github via Terrafom.pdf

More Related Content

Similar to Managing Github via Terrafom.pdf (20)

Recently uploaded (20)

Managing Github via Terrafom.pdf