The Ten Facts About People With Autism Presentation
Managing Github via Terrafom.pdf
1. MANAGING GITHUB VIA TERRAFOM TO
BE COMPLIANT WITH ISO27001
Remove the UI from your On- / Offboarding GitHub Workflow
2. MICHA(EL) RAECK
PRODUCT OWNER DEVSECOPS
Developing a platform as a Product tailored for all
engineering colleagues.
Utilizing Kubernetes to manage cloud-native services
within Hyperscalers (AWS mostly).
Offering consultancy services for customer projects.
Coordination of contractors.
• 37 y/o
• From Leipzig (working Hybrid)
• Owned an Full Service Media Agency for
10 years
• Owned a Bar and a Restaurant
• Was a Lead Developer and Head of
Infrastrcuture at 1337 UGC
What we do as a Team? Who am I ?
4. 4
1. PROBLEM
800Repos within 12Organizations
Different Teams / Teams in Teams /
External Users / External Users in Internal Repos ?!
5. 5
1. PROBLEM
1.Complexity in Management:
§ Managing a variety of GitHub repositories.
§ Managing a variety of GitHub Organizations.
2.User and Access Management:
• Coordinating multiple users, groups, and teams.
• Implementing consistent permissions and branch protection rules.
3.Collaboration with External Parties:
• Providing guest access to partners and customers.
• Ensuring controlled permissions for external users to
pull or push to repositories.
6. 6
1. PROBLEM
ISO27001:2013 requires:
Access Control: Ensuring strict access control in line with ISO 27001
to prevent unauthorized information disclosure or modification.
Audit Trails: Implementing comprehensive audit trails for changes and
access to repositories and its User Management to meet ISO 27001's monitoring
and logging standards.
Information Security Policies: Developing and enforcing information
security policies that comply with the ISO 27001 framework across all
GitHub repositories and teams.
4-Eyes Principle:
13. 13
THE NOT SO BORING PART
2
Utilizing Terraform for Managing GitHub
14. 14
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
registry.terraform.io/providers/integrations/github/latest/docs
• Uses the GitHub API
15. 15
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
• In Order to have proper rights, and Access Control you should set up an
Organization:
• https://github.com/orgs/terraform-github-test-orga
16. 16
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
Assumptions:
• Terraform is up and running
• You store your state in some Sort of Backend
• S3 dynamo DB
• Terraform Cloud ?
• GH Access Personal Access token is stored in an ENV Variable
18. 18
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
DEFINE A REPO
provider "github" {
owner = "terraform-github-test-orga"
}
# Repo
resource "github_repository" "example-repo" {
name = "terraform-github-test-repo-devops-meetup-2023"
description = "A Repo for the Terraform GitHub Provider Example"
visibility = "public"
}
19. 19
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
SETUP A PULL
TEAM
# Creating a Team with Pull Rights
resource "github_team" "pull_team" {
name = "Pull Team"
description = "A team to READ on Terraform-managed repositories"
}
# Giving the Team correct Permissions
resource "github_team_repository" "team_repo_pull" {
team_id = github_team.pull_team.id
repository = github_repository.example-repo.name
permission = "pull"
}
# Assigning a Member to the Team
resource "github_team_membership" "team_membership_pull" {
team_id = github_team.pull_team.id
username = “exampleUserOnGitHub"
role = "member"
}
21. 21
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
PLANING
CREATE AN PR
FOR IT
terraform will perform the following actions:
# github_team.pull_team will be created
+ resource "github_team" "pull_team" {
+ create_default_maintainer = false
+ description = "A team to READ on Terraform-managed repositories"
…
}
# github_team_membership.team_membership_pull will be created
+ resource "github_team_membership" "team_membership_pull" {
+ etag = (known after apply)
+ id = (known after apply)
+ role = "member"
+ team_id = (known after apply)
+ username = "mixxor"
}
# github_team_repository.team_repo_pull will be created
+ resource "github_team_repository" "team_repo_pull" {
+ etag = (known after apply)
+ id = (known after apply)
+ permission = "pull"
+ repository = "terraform-github-test-repo-devops-meetup-2023"
+ team_id = (known after apply)
}
Plan: 3 to add, 0 to change, 0 to destroy.
22. 22
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
PLANING
CREATE AN PR
FOR IT
➜ ✗ git commit –m „chore(YOUR-JIRA-TICKET): Add Max Mustermann“
28. 28
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
APPLYING
# main.tf
# define first your existing repo here
resource "github_repository" "_devops_meetup" {
name = "_devops_meetup"
description = "let the Teams care about the Repo"
visibility = "private“
#sh
➜ ✗ terraform import github_repository._devops_meetup _devops_meetup
➜ ✗ terraform plan
➜ ✗ terraform apply
29. 29
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
What can we do now ?
• Create / Manage Repos
• Create / Manage Teams
• Create / Manage Users
All this in a declerative Way.
30. 30
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
This is ISO Compliant, as it will follow the Guidelines:
Access Control:
WE define who has Access to our Repo which manages the GH Orgas
Audit Trails:
WE will use the GH built-in Stuff for Changes, but use our GH Repo for all other Stuff
Information Security Policies:
Process is comprehensible and you can explain and show it to an Auditor
NO UI ClickOps.
4-Eyes Principle:
In Place via PR.
35. 35
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
The state of your Repo is save, right?
Somewhere at Terraform Cloud or AWS !
Sure, but your doing State changes locally
after the approval of the PR ?
44. 44
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
Get your PR approved !
• Atlantis also Supports Slack Notifications
Now, APPLY!
And Merge.
45. 45
2. SOLVE IT
TERRAFORM
GITHUB PROVIDER
Your done J
• You can improve this workflow even more
• Atlantis represents a significant improvement in establishing reliable
audit control and governance over Infrastructure as Code (IaC).
• This process supports your ISO Certification and
helps to convince auditors of the robust measures you have taken.