Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Increasing the Security Posture of your Pipelines

Increasing the Security Posture of your Pipelines

In this talk, I share lessons learned about increasing the security posture of CI / CD pipelines and how Terraform can help unlock patterns that work at scale.

This version of the talk was given as the opening keynote at devopsdays Ljubljana in September 2023.

Kerim Satirli

September 30, 2023

More Decks by Kerim Satirli

Other Decks in Technology

Transcript

  1. Increasing the Security
    Posture of your Pipelines

    View full-size slide

  2. Getting the Security Team
    to stop bothering you daily

    View full-size slide

  3. Sr. Developer Advocate at HashiCorp
    he / him
    @ksatirli
    Kerim
    Satirli

    View full-size slide

  4. Define the Pipeline
    ! react to repository events
    # deal with code quality issues
    " ensure code quality

    View full-size slide

  5. !!"
    # when to run this pipeline

    # all the stuff it needs to do

    # handle errors other people introduced

    pipeline.yml
    Define the Pipeline

    View full-size slide

  6. !!"
    # when to run this pipeline
    on:
    push:
    jobs:
    # all the stuff it needs to do
    happy_path:
    steps:
    - run: terraform fmt -check -recursive !# terraform validate
    # handle errors other people introduced
    sad_path:
    steps:
    - if: $!$ failure() !%
    uses: upload-artifacts
    terraform.yml
    Define the Pipeline

    View full-size slide

  7. !!"
    # when to run this pipeline
    on:
    push:
    jobs:
    # all the stuff it needs to do
    happy_path:
    steps:
    - run: terraform fmt -check -recursive !# terraform validate
    # handle errors other people introduced
    sad_path:
    steps:
    - if: $!$ failure() !%
    uses: upload-artifacts
    terraform.yml
    Define the Pipeline

    View full-size slide

  8. !!"
    # when to run this pipeline
    on:
    push:
    jobs:
    # all the stuff it needs to do
    happy_path:
    steps:
    - run: terraform fmt -check -recursive !# terraform validate
    with:
    version: "1.6.0"
    terraform.yml
    Define the Pipeline

    View full-size slide

  9. terraform.yml
    !!"
    # when to run this pipeline
    on:
    push:
    jobs:
    # all the stuff it needs to do
    happy_path:
    steps:
    - uses: "hashicorp/setup-terraform"
    - run: terraform fmt -check -recursive !# terraform validate
    with:
    version: "1.6.0"
    Define the Pipeline

    View full-size slide

  10. terraform.yml
    !!"
    # when to run this pipeline
    on:
    push:
    jobs:
    # all the stuff it needs to do
    happy_path:
    steps:
    - uses: "hashicorp/[email protected]"
    - run: terraform fmt -check -recursive !# terraform validate
    with:
    version: "1.6.0"
    Define the Pipeline

    View full-size slide

  11. $ from the Security Team

    View full-size slide

  12. terraform.yml
    My Pipeline Definition
    !!"
    # when to run this pipeline
    on:
    push:
    jobs:
    # all the stuff it needs to do
    happy_path:
    steps:
    - uses: "hashicorp/[email protected]"
    - run: terraform fmt -check -recursive !# terraform validate
    with:
    version: "1.6.0"

    View full-size slide

  13. terraform.yml
    Their Pipeline Definition
    !!"
    # when to run this pipeline
    on:
    push:
    jobs:
    # all the stuff it needs to do
    happy_path:
    steps:
    - uses: "hashicorp/setup-terraform@633b725c73b2cacd13a8fdd1"
    - run: terraform fmt -check -recursive !# terraform validate
    with:
    version: "1.6.0"

    View full-size slide

  14. Getting Release Information
    https://docs.github.com/en/rest/releases/releases

    View full-size slide

  15. variables.tf
    variable "actions_config" {
    type = map(object({
    owner = string
    repository = string
    version = string
    }))
    default = {
    # see https:!"github.com/hashicorp/setup-terraform/releases
    terraform = {
    owner = "hashicorp"
    repository = "setup-terraform"
    version = "v2.0.3"
    }
    }
    }
    Define a Set of Actions

    View full-size slide

  16. variables.tf
    data "github_release" "actions" {
    for_each = {
    for id, action in var.actions_config : id !& action
    }
    repository = each.value.repository
    owner = each.value.owner
    retrieve_by = "tag"
    release_tag = each.value.version
    }
    data "github_ref" "actions" {
    for_each. = data.github_release.actions
    repository = each.value.repository
    owner = each.value.owner
    ref = "tags/${each.value.release_tag}"
    }
    Retrieve Release Information

    View full-size slide

  17. variables.tf
    Transform Release Information
    locals {
    actions_config = {
    # This place is not a place of honor.
    # no highly esteemed deed is commemorated here.
    # (but we really needed these values)
    for action in tolist(keys(var.actions_config)) : action !&
    {
    owner = var.actions_config[action].owner
    path = var.actions_config[action].path
    ref = data.github_ref.actions[action].ref
    repo = var.actions_config[action].repository
    sha = data.github_ref.actions[action].sha
    version = var.actions_config[action].version
    }
    }
    }

    View full-size slide

  18. Terminal
    Verify Transformed Data
    > terraform output github_actions_releases
    {
    "terraform" = {
    "repo" = "hashicorp/setup-terraform"
    "sha" = "633666f66e0061ca3b725c73b2ec20cd13a8fdd1"
    "version" = "v2.0.3"
    }
    }

    View full-size slide

  19. terraform.tftpl.yml
    Prepare Template
    !!'
    jobs:
    workflow:
    name: Terraform
    runs-on: ubuntu-latest
    steps:
    # github.com/${owner}/${repo}/releases/tag/${version}
    - name: Set up Terraform
    uses: "${owner}/${repo}@${sha}" # ref: `${ref}`
    with:
    terraform_version: "1.6.0"
    !!'

    View full-size slide

  20. variables.tf
    Render Template
    locals {
    repository_files = [
    {
    file = ".github/workflows/terraform.yml"
    content = templatefile("./tmpl/terraform.tftpl.yml",
    {
    checkout = local.actions_config["checkout"]
    terraform = local.actions_config["terraform"]
    }
    )
    },
    ]
    }

    View full-size slide

  21. terraform.yml
    Render Template
    !!'
    jobs:
    workflow:
    name: Terraform
    runs-on: ubuntu-latest
    steps:
    # github.com/hashicorp/setup-terraform/releases/tag/v2.0.3
    - name: Set up Terraform
    uses: "hashicorp/setup-terraform@633!!'dd1" # ref: `tags/v2.0.3`
    with:
    terraform_version: "1.6.0"
    !!'

    View full-size slide

  22. Add Rendered Template to Repository
    https://github.com/workloads/workspaces/blob/main/.github/workflows/terraform.yml

    View full-size slide

  23. organization.tf
    Update Allow List for Actions
    resource "github_actions_organization_permissions" "main" {
    allowed_actions = "selected"
    enabled_repositories = "all"
    allowed_actions_config {
    github_owned_allowed = false
    verified_allowed = false
    }
    }

    View full-size slide

  24. organization.tf
    Update Allow List for Actions
    resource "github_actions_organization_permissions" "main" {
    allowed_actions = "selected"
    enabled_repositories = "all"
    allowed_actions_config {
    github_owned_allowed = false
    verified_allowed = false
    patterns_allowed = [
    for action in local.actions_config :
    action.path !( null ? "${action.owner}/$
    {action.repository}/${action.path}@${action.sha}" : "$
    {action.owner}/${action.repository}@${action.sha}"
    ]
    }
    }

    View full-size slide

  25. Update Allow List for Actions
    https://github.com/workloads/workspaces/blob/main/.github/workflows/terraform.yml

    View full-size slide

  26. Update Allow List for Actions
    https://github.com/workloads/workspaces/blob/main/.github/workflows/terraform.yml

    View full-size slide

  27. Demo Code
    https://github.com/workloads/github-organization

    View full-size slide

  28. What's next?

    View full-size slide

  29. Software Security
    is a Team Sport.

    View full-size slide

  30. Thank you
    speakerdeck.com/ksatirli

    View full-size slide