In my last post, I discussed the power of using Azure DevOps YAML pipelines and Terraform together. Today, I would like to look at how to improve the security of this solution by integrating the Azure Key Vault within the pipeline. When deploying infrastructure, there’s always a need to manage secrets or securely authenticate in order to access the infrastructure after it is built. This problem is compounded when running Infrastructure as Code platforms like Terraform because this secret data needs to be provided in a secure manner at run time. Additionally, Terraform does not currently have a process to manage the secrets within its state file, instead pushing customers to utilize encryption to secure the state file as documented here. By utilizing Azure Key Vault with Terraform and Azure DevOps, we can resolve these security issues.
Azure Key Vault
The Azure key vault service provides an environment to securely store certificates, keys, and secrets in a highly available PaaS infrastructure. With options for geo replication and soft delete support, the Azure Key Vault is a full featured security vault. Any and all passwords that you might need for database and virtual machine access can be stored in this vault. Other keys or certificates needed by App Gateways or virtual machine encryption will also be securely kept within the Vault. With all of this information securely stored within the Azure Key Vault, I will demonstrate how Azure DevOps can securely connect to and utilize information from the Azure Key Vault.
Azure DevOps Library
Azure DevOps Library is a feature within Azure DevOps that provides variables and secrets information to Azure DevOps pipelines. In particular, variable groups allow for creating a commonly used list of variables to use across one or multiple pipelines. Additionally, variable groups provide the ability to connect directly to an Azure Key Vault to utilize any value stored within the Key Vault. The below screenshot depicts how to configure the variable group to connect to a subscription and a key vault within that subscription.
Once the connection to the Azure Key Vault has been established, you can add variables to the variable group, by clicking add, and then selecting each secret, key, or certificate that the variable group can access. The variables that you have selected will then be shown in the variable group’s variable list as you can see below.
Pipeline Integration
Now that a variable group has been created and made available to the pipelines, the variables can easily be referenced from within the YAML code of the pipeline. Within the variable subheading in the yaml pipeline, we can simply define the variable group and then reference the variable names from within it. In the below yaml example code, I have referenced the variable group created earlier:
variables:
- group: Terraform_Vars
Now any variables within the group can be defined the same way that static variables within the yaml pipeline are defined, using the $(%variable%) reference. An example is listed below in the reference for the Terraform plan:
Arguments: 'plan -var admin_password=$(admin_password) -var
domain_password=$(domain_password)’
We can now see the benefit of this approach if we look at both the Log output of the Terraform plan inside of the Azure DevOps logs as well as the State file itself. In both instances the secret data is kept secure.
Terraform Plan Log output in Azure DevOps
"terraform" plan -var domain_password=*** -var admin_password=*** -input=false -no-colorState File snippet from Azure VM os profile terraform sub block:
"os_profile": [
{
"admin_password": "",
"admin_username": "vmadmin",
"computer_name": "fg-windows-0",
"custom_data": ""
}
],
From both examples above, you can see that all of the secret information passed from the Azure Key Vault has been kept secure throughout the entire process and reduces the attack surface of the environment.
Conclusion
After following the design pattern detailed in this article, we can see that the combined features sets provided by Microsoft provides a great security solution to an automated Infrastructure as Code pipeline. If you are interested in utilizing these tools to deploy a secure pipeline for your environment, please reach out to the Azure team at Foghorn and we would be more than happy to assist architecting this solution.
