1. Azure Arm Template IaC Security
Introduction
You can integrate prancer Platform into your DevOps process to do automated security tests on
Infrastructure as Code (IaC). This post will explain how to do an IaC security scan with Prancer
platform on your Azure ARM templates repository in a few steps.
High level steps
clone the Prancer Hello World repository
modify the connector file
run the tests
Interpret the results
Step 1 - clone the Prancer Hello World repository
git clone https://github.com/prancer-io/prancer-hello-world.git
cd prancer-hello-world
To clone the Prancer Hello World repository and change the directory to it.
Step 2 - modify the Connector
You should modify the Connector file to point to your own git repository. The sample connector
file is gitConnectorArm.json.
vi gitConnectorArm.json
2. You see the content of the file as follows:
{
"fileType": "structure",
"type": "filesystem",
"companyName": "prancer",
"gitProvider": "https://github.com/prancer-io/prancer-armof.git",
"branchName": "master",
"private": false
}
Change the gitProvider to point to your repository. You can find more information about the
structure of this file here
Step 3 - run the tests
First, crawl your repo and then run the tests with the following commands.
prancer scenario-arm-remote --crawler
prancer scenario-arm-remote
You will see the results of the tests on screen.
3. step 4 - Interpret the results
Prancer will generate an output file, and you can view the result of each test (Passed / Failed)
cat validation/scenario-arm-remote/output-master-test.json
Here is a snippet of the output-master-test.json file:
{
"eval": "data.rule.aks_cni_net",
"result": "passed",
"message": "",
4. "id": "PR-AZR-0006-ARM",
"remediation_description": "Make sure you are following the ARM template guidelines for
AKS from this URL : https://docs.microsoft.com/en-
us/azure/templates/microsoft.containerservice/managedclusters",
"remediation_function": "PR_AZR_0006_ARM.py",
"snapshots": [
{
"id": "ARM_TEMPLATE_SNAPSHOT1",
"structure": "filesystem",
"reference": "master",
"source": "gitConnectorArmRemoteStructure",
"collection": "armtemplate",
"type": "arm",
"region": "",
"paths": [
"/AKS/aks.azuredeploy.json",
"/AKS/aks.azuredeploy.parameters.json"
]
}
5. ],
"autoRemediate": false,
"masterTestId": "TEST_AKS_1",
"masterSnapshotId": [
"ARM_TEMPLATE_SNAPSHOT"
],
"type": "rego",
"rule": "file(aks.rego)",
"title": "Azure CNI networking should be enabled in Azure AKS cluster",
"description": "Azure CNI provides the following features over kubenet
networking:_x000D__x000D_- Every pod in the cluster is assigned an IP address in the virtual
network. The pods can directly communicate with other pods in the cluster, and other nodes in
the virtual network._x000D_- Pods in a subnet that have service endpoints enabled can securely
connect to Azure services, such as Azure Storage and SQL DB._x000D_- You can create user-
defined routes (UDR) to route traffic from pods to a Network Virtual Appliance._x000D_-
Support for Network Policies securing communication between pods._x000D__x000D_This
policy checks your AKS cluster for the Azure CNI network plugin and generates an alert if not
found.",
"tags": [
{
"cloud": "git",
"compliance": [],
"service": [
6. "microsoft.containerservice"
]
}
],
"snapshotId": [
"ARM_TEMPLATE_SNAPSHOT1"
],
"status": "enable"
}
It provides you all the details you need to track down the item and fix it if required.
You can easily integrate the Prancer Platform into your pipeline for automated IaC scans.
fail_success=`grep failed validation/scenario-arm-remote/output-master-test.json`
pass_error=`grep passed validation/scenario-arm-remote/output-master-test.json`
if [[ -z "$fail_success" ]] || [[ ! -z "$pass_error" ]] ; then echo "scenario-arm-remote failed"; exit
1;fi
References
Prancer Azure IaC security tests
Prancer docs