Objective
We will be using Github actions for our CI/CD execution.
We will be defining pipeline strategy for Infrastructure as well as for applications.
Contents
1. Infrastructure Pipeline
2. Application Pipeline
1. Infrastructure Pipeline:
For deploying & bringing up the Infrastructure on Cloud we are using IAC (Terraform).
To bring the environment UP with a single click & all security compliance below is the defined flow:
Various open source tools used:
1. Slack Bot: For Push & success notification.
2. tflint: TFLint is a framework and each feature is provided by plugins, the key features are as follows:
Find possible errors (like illegal instance types) for Major Cloud providers (AWS/Azure/GCP).
Warn about deprecated syntax, unused declarations.
Enforce best practices, naming conventions.
3. Terrascan: A static code analyser for Infrastructure as Code.
4. Checkov/tfsec: [Need to finalise any one]
Checkov: 🔘 Checkov is a static code analysis tool for infrastructure-as-code. 🔘 It scans cloud infrastructure provisioned using: - Terraform - Terraform plan - Cloudformation - AWS SAM - Kubernetes - Helm charts - Kustomize - Dockerfile - Serverless 🔘 Detects security and compliance misconfigurations using graph-based scanning.
tfsec: 🔘 tfsec uses static analysis of your terraform code to spot potential misconfigurations. 🔘 Checks for misconfigurations across all major (and some minor) cloud providers 🔘 Hundreds of built-in rules 🔘 Scans modules (local and remote) 🔘 Evaluates HCL expressions as well as literal values 🔘 Evaluates Terraform functions e.g. concat() 🔘 Evaluates relationships between Terraform resources 🔘 Compatible with the Terraform CDK 🔘 Applies (and embellishes) user-defined Rego policies 🔘 Supports multiple output formats: CLI, JSON, SARIF, CSV, CheckStyle, and JUnit. 🔘 Configurable (via CLI flags and/or config file) 🔘 Very fast, capable of quickly scanning huge repositories 🔘 Plugins for popular IDEs available (JetBrains, VSCode and Vim) 🔘 Community-driven
5. Terraform: An IAC tool for creations of various resources on Cloud
NOTE: Will be updating the page as & when we define the process.