Posted on Leave a comment

Pass terraform provider variables as secrets

Many times you need to provide values in provider information when using terraform. Lets take as an example the below code block. The azuredevops provider needs some variables in order to deploy successfully and we need to pass those values as secrets because they contain sensitive information.

terraform {
required_providers {
azuredevops = {
source = "microsoft/azuredevops"
version = ">=1.0.0"
}
}
}

provider "azuredevops" {
org_service_url = URL
personal_access_token = TOKEN
}

We should never hardcode such information in the application as this information may get leaked. In order to pass those as secrets we will need to create a variable group or standalone variables and place the secrets there.

Then we will need to create some terraform variables and pass the values for those through the pipeline.

variable "org_service_url" {
description = "The URL of your Azure DevOps organization."
}

variable "personal_access_token" {
description = "The personal access token for authentication."
}

The provider block should be updated accordingly.

provider "azuredevops" {
org_service_url = var.org_service_url
personal_access_token = var.personal_access_token
}

Finally we pass those values through the pipeline step by providing those with -var argument on terraform.

    - task: TerraformTaskV4@4
displayName: terraform apply
inputs:
provider: 'azurerm'
command: 'apply'
workingDirectory: '$(System.DefaultWorkingDirectory)/src/iac_devops'
commandOptions: '-var="org_service_url=$(URL)" -var="personal_access_token=$(PAT)"'
environmentServiceNameAzureRM: 'SUBSCRIPTION'

Finally the pipeline will succeed.

Posted on Leave a comment

Azure DevOps Terraform Provider

If you work everywhere as a code you will probably need to check Azure DevOps terraform provider. It is created and maintained from Microsoft and you can use it in order to have your DevOps tool as a code.

https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs

In order to getting started you will need to create a PAT token and give it the access based on the actions that you need to do.

When the token is ready you will need to set two environmental variables on the machine that you work. The first one is AZDO_PERSONAL_ACCESS_TOKEN which should be your token. The second one will be your org URL AZDO_ORG_SERVICE_URL

export AZDO_PERSONAL_ACCESS_TOKEN= TOKEN
export AZDO_ORG_SERVICE_URL= https://dev.azure.com/geralexgr

Finally you are ready to deploy your IAC Azure DevOps configurations.

Lets see the below example.

# Make sure to set the following environment variables:
#   AZDO_PERSONAL_ACCESS_TOKEN
#   AZDO_ORG_SERVICE_URL
terraform {
  required_providers {
    azuredevops = {
      source = "microsoft/azuredevops"
      version = ">=0.1.0"
    }
  }
}

resource "azuredevops_project" "project" {
  name = "My Awesome Project"
  description  = "All of my awesomee things"
}

resource "azuredevops_git_repository" "repository" {
  project_id = azuredevops_project.project.id
  name       = "My Awesome Repo"
  initialization {
    init_type = "Clean"
  }
}

resource "azuredevops_build_definition" "build_definition" {
  project_id = azuredevops_project.project.id
  name       = "My Awesome Build Pipeline"
  path       = "\\"

  repository {
    repo_type   = "TfsGit"
    repo_id     = azuredevops_git_repository.repository.id
    branch_name = azuredevops_git_repository.repository.default_branch
    yml_path    = "azure-pipelines.yml"
  }
}

When above code runs it will create a new project with the name My Awesome Project. Inside the project a new git repo will be initialized and a new pipeline will be created inside this repository.

You can find the usage example below.

https://github.com/microsoft/terraform-provider-azuredevops

Youtube video:

Posted on Leave a comment

Scan azure devops repositories for credentials and passwords

DevSecOps practices are important for organizations especially when it comes to code repositories. Your code should avoid hard coded passwords and secrets for many reasons as a leak may occur. In this guide I will examine how you can massively scan Azure DevOps repositories for security leaks as passwords and secrets with gitleaks utility.

https://github.com/gitleaks/gitleaks

Simon has provided a very useful script that you can use in order to download all your repositories from Azure DevOps.

Cloning all repositories from Azure DevOps using Azure CLI – Simon Wahlin

When you execute the script, all the repositories will be downloaded inside your project folder.

Then you will need to install gitleaks and execute for each repository.

$folder_for_cleanup = "C:\Users\geralexgr\Documents\AzureRepos"
Get-ChildItem $folder_for_cleanup | Sort -Property FullName | ForEach-Object {
                gitleaks detect -s $_.FullName -v >> gitleaks-results.txt
                echo "######################################################################################################" >> gitleaks-results.txt
            }

The scan will go through each repository and scan for leaks. The output will be stored in gitleaks-result text file.

Posted on Leave a comment

Install linux azure devops agent on docker container

As we previously examined how we can create a containerized azure devops agent running on a windows machine, we will now go through the same procedure but with linux OS.

You can read the windows container azure devops agent article using the below link:

The first thing that you will need is a virtual machine that runs docker. When this requirement is fulfilled you can jump on the image building. In order to build your image you will need your Dockerfile and the instructions for the agent.

You can read the rest of the article on Medium using the link below:

A detailed deployment video can be found on my Udemy course:

https://www.udemy.com/course/mastering-azure-devops-cicd-pipelines-with-yaml/