This article covers everything you need to know about Infrastructure as Code (IaC) in Nexus Lifecycle. We’ll go over what IaC is, how it works, and how to use it with Nexus Lifecycle.
More specifically, this article will help you with the following:
- Understand what Infrastructure as Code is and how it’s used in modern software development.
- Explain how Nexus Lifecycle scans IaC files and what information will be available from the scans.
- Run scans in Nexus Lifecycle using a CI (Jenkins or Bamboo) plugin or the command line interface (CLI).
- Analyze the results of a scan and use that information to better understand the health of your infrastructure.
- The latest release of Lifecycle (release 127 or newer required).
- The Infrastructure as Code Pack is enabled (IaC is an add-on with additional cost).
What is Infrastructure as Code?
Infrastructure as Code is a means of expressing cloud infrastructure using code, which can be run against cloud provider APIs to create, configure, and modify cloud infrastructure. IaC is used in place of the cloud provider console.
IaC is a far more efficient way of building and managing cloud infrastructure environments than cloud consoles are. You can express some, or all, of a cloud infrastructure environment in an IaC file before you build any infrastructure. One can build a global network in minutes using IaC —something that would’ve taken weeks using the console (and months before cloud).
IaC is a predictable and scalable way to manage cloud infrastructure. IaC files can be shared, code-reviewed, and replicated. They can be evaluated and certified by security and compliance teams and then used across an organization.
Infrastructure as Code templates may include potentially sensitive data when describing the target environment and infrastructure. While this information is sent encrypted on Sonatype servers during evaluations, it is strongly recommended that best practices are followed: Information like passwords or API keys should not be exposed in plaintext wherever possible. Vaults are a common solution for storing secrets and referencing them inside configuration files.
How does Nexus Lifecycle scan IaC?
Now that you have some basic knowledge of IaC, let’s talk about how Nexus Lifecycle works with it.
With Nexus Lifecycle, you can scan your Terraform, AWS CloudFormation, or Kubernetes configurations before deploying to production and gain early feedback.
Nexus Lifecycle will scan IaC configurations against a comprehensive set of rules and identify misconfigurations, provide remediation guidance, and also pinpoint specific compliance issues.
Where can I integrate Sonatype’s IaC scanning into my SDLC?
IaC scanning is available in the Nexus IQ CLI, Docker CLI, and the Jenkins, Bamboo, and Gitlab plugins.
Scan Terraform HCL files, AWS CloudFormation templates, Kubernetes manifests
With Nexus Lifecycle, you can scan Terraform HCL files, CloudFormation files (JSON and YAML), and Kubernetes manifests using the Nexus IQ CLI or as a build step with Jenkins using the Jenkins plugin.
Executing a scan via the CLI or as a build step with Jenkins will include any target prefixed with
iac: as part of the scan results.
You may specify a single IaC configuration file or a directory as the scan target. In case a directory is specified, the directory and subdirectories within it will be recursively scanned and results will be provided for all IaC configuration files that are found.
Scan Terraform plan files
To scan a Terraform plan file, the first step is to generate it. This is typically done using the
terraform plan -out=terraform.tfplan command during the build process. You can easily create a JSON representation of the resolved plan using
terraform show -json terraform.tfplan > terraform.json You can then scan the JSON representation of the plan file.
Data Security Practices
In order for the Infrastructure as Code Pack to evaluate an application’s cloud infrastructure for vulnerabilities and misconfigurations, the IaC product will scan the applicable IaC template provided by the end user and will provide the results of such scan within the Nexus Lifecycle report. Due to the nature of IaC templates, there is potential for unprotected sensitive data to be transmitted (including information regarding your environment and infrastructure).
As such, prior to running a scan using Sonatype’s IaC Pack, please ensure that such sensitive data is not transmitted to Sonatype and that any such sensitive information is protected in accordance with information security best practices. Specifically, please ensure that (a) sensitive information like usernames, passwords, API tokens, and SSH keys are not exposed in plaintext, and (b) where possible, you use protective measures like environment variables and vaults. Sonatype neither requires, nor wants to receive, any such sensitive information.
What will I see in the evaluation results?
When scanning IaC, all of the policies set up in your instance of Lifecycle are applied, giving you a breakdown as it would in any other application. The report will contain information on the resources with misconfigurations or vulnerabilities, and provide a breakdown in terms of the IaC vulnerabilities, what is breaking policy, and how you can resolve vulnerabilities.
Information provided from the scan report helps you understand the quality of the applications alongside your infrastructure, and Nexus Lifecycle provides that intelligence throughout the development pipeline.
An example - running a scan from the CLI
- Navigate to a workspace that has an IaC configuration file.
- Run the Nexus IQ CLI:
java -jar nexus-iq-cli-1.126.0-01.jar -i test-app -s http://localhost:8070 -a admin:admin123 -t develop iac:myDirectory
The example above is using release 127 of the IQ CLI.
test-app is the name of the application we are running the evaluation against,
localhost:8070 is the location of Nexus Lifecycle,
admin:admin123 are our login credentials, and
iac:myDirectory means we are recursively scanning everything in the directory myDirectory for IaC configuration files (Terraform HCL files, CloudFormation templates, and Kubernetes manifests).
The example scans a directory, however, it is also possible to scan individual files by replacing myDirectory with the name of the file. You can also scan multiple files or directories by specifying multiple targets, for example:
java -jar nexus-iq-cli-1.126.0-01.jar -i test-app -s http://localhost:8070 -a admin:admin123 -t develop iac:myHCLDirectory iac:myAWSDirectory
Once the scan is complete, you’ll see a link to the report in your CLI. Copy the link and then paste it into your browser to access the scan results.
Figure 1: Infrastructure violations in the Nexus Lifecycle report.
The report shows you the components identified, customized policy violations, and remediation steps. It will also automatically kick-off notifications if that feature is enabled.
For more information on running scans in the CLI, please see our Nexus IQ CLI help docs.
Talk to Us
And visit my.sonatype.com for all things Sonatype.