Accurics can integrate with the Azure DevOps Pipeline in order to break the pipeline if Accurics finds high severity violations in the code.
- Azure Account: To host the infrastructure provisioned by IaC.
- Azure DevOps Organization and Project: To host one or more Azure DevOps pipelines, related Environment variables, repositories, etc.
- Azure DevOps Pipeline
- Terraform ARM_* environment variables available to the pipeline
Perform the following steps to integrate Azure DevOps Pipelines with Accurics:
- Retrieve Accurics CLI configuration and add it to the repository
- Import the sample Accurics pipeline into Azure DevOps
- Set the Terraform ARM_* environment variables
Retrieve Accurics CLI configuration and add it to the repository
Download the Accurics CLI. Extract just the configuration file (“config”) and add that file to the base of your Infrastructure as Code (IaC) repository.
Import the sample Accurics pipeline into Azure DevOps
Create a YAML file called ado_pipeline_with_accurics.yaml with this code, and put it into your Azure DevOps repository. Once you check-in the yaml file, it is visible in the Azure DevOps Repository.
Create a pipeline using that YAML pipeline definition.
Set the Terraform ARM_* environment variables
The ARM_* environment variables need to be set for Terraform (and Accurics) to function properly. You can use anyone of these approaches to set the environment variables:
Hard-code environment variables in the pipeline
export ARM_CLIENT_SECRET='CORRECT HORSE STAPLE BATTERY' export ARM_CLIENT_ID='00000000-0000-0000-0000-000000000000' export ARM_TENANT_ID='11111111-1111-1111-1111-111111111111' export ARM_SUBSCRIPTION_ID='22222222-2222-2222-2222-222222222222'
Use Pipeline variables
If you use Pipeline variables, they will be set as environment variables and do not need to be accounted for in the code.
Comment out the four export statements in the following example:
#Handled by Pipeline variables #export ARM_SUBSCRIPTION_ID= subscription id #export ARM_TENANT_ID= tenant id #export ARM_CLIENT_ID= client id #export ARM_CLIENT_SECRET= client secret
Use Pipeline secret variables
Store the ARM_CLIENT_SECRET as a secret variable.
In this case, the secret variable needs to be exported as an environment variable in the pipeline:
#Handled by Pipeline variables #export ARM_SUBSCRIPTION_ID= subscription id #export ARM_TENANT_ID= tenant id #export ARM_CLIENT_ID= client id #Pipeline secret variable export ARM_CLIENT_SECRET=$(ARM_CLIENT_SECRET)
If your organization has a preferred secret management workflow, you can use that approach.
Pipeline behavior when Accurics identifies a policy violation
The sample pipeline assumes the pipeline will continue if the Accurics scan identifies a policy violation:
--- trigger: #[Pipeline code omitted] accurics init accurics plan
You can set the ADO pipeline to break if Accurics finds high severity violations during a scan. See Failing a Build for High Severity Violations.
--- trigger: #[Pipeline code omitted] accurics init accurics plan -fail
Once the pipeline is working as expected, you should be able to edit Terraform code and have the pipeline run as expected.