Written by Michael Braun
This document outlines how to deploy the OWASP Juice Shop and Cloudguard WAAP to Azure Kubernetes Service (AKS). Furthermore, this deployment is done with Github Actions and illustrates how to incorperate Cloudguard Shiftleft into a CI/CD pipeline.
From a high level, this is what happens:
Github Actions Build Pipeline:
1. Prepares environment
2. Creates configuration files to connect to Terraform Cloud
3. Performs Shiftleft IAC scan and compares against rules I have created in Cloudguard CSPM
4. Performs Shiftleft Container Scan
5. Installs Terraform & Runs Terraform init, plan and apply.
6. Terraform:
a. Creates an AKS cluster.
b. Uses Helm to install WAAP Pod
c. Outputs URL
Github Actions Destroy Pipeline:
1. Prepares environment
2. Creates configuration files to connect to Terraform Cloud
3. Performs Terraform Destroy
Github Account
Azure Account
Terraform Cloud Account
Check Point CSPM Account - Terraform Compliance Rule and Rule ID
Check Point Cloud Portal - WAAP Token
Fork the CloudGuard_WAAP_K8 repository into your personal Github account.
Create an App Registration in Azure. As this will be used multiple times, please note the following:
- Application (client) ID
- Directory (tenant) ID
- Secret
- Subscription ID
Ensure that you give this app registration "Contributor" permission. This is required for Terraform to build the environment.
Terraform Cloud is being used to host the variables and the state file. The actual run occurs in Github Actions.
Create a new workspace in your Orginization and select CLI-driven run. The configure your variables.
Start with the Environment Variables. Input the Azure App Registration information you noted earlier. Use the following keys.
ARM_CLIENT_ID
ARM_CLIENT_SECRET
ARM_TENANT_ID
ARM_SUBSCRIPTION_IDThen fill in the variables required to run the Terraform playbook. Reuse the Azure App Registration client id and secret for the client_id. Note: You cannot have spaces or special characters. This is an Azure limitation
Here are the key names you must use:
victim_company #This is used for naming the objects within Azure
client_secret #This is the client secret from the Azure App Registration created above. Required to connect to the AKS Cluster
client_id #This is the client id from the Azure App Registration created above. Required to connect to the AKS Cluster
token #This is the WAAP token
namespace #This is the namespace of the AKS ClusterUnder the user settings, select Tokens and create an API token. Note the value for later.
Finally, in the workspace you created, click on Settings > General Settings and note the Workspace ID. We need to this to setup the API call to Terraform.io
In this example, I am using Github Actions as the CI/CD tool. To prep the pipeline, please create the following secrets:
CHKP_CLOUDGUARD_ID #This is the CSPM API Key
CHKP_CLOUDGUARD_SECRET #CSPM API Key Secret
CSPM_RULE #The ID of your CSPM Terraform Rule
ORGANIZATION #Terraform Organization in Terraform Cloud
SG_CLIENT_ID #Sourceguard API Key
SG_SECRET_KEY #Sourceguard API Secret
TERRAFORM #Terraform Cloud API Key
WORKSPACE #Terraform Cloud Workspace - Get this from Terraform.ioYou should now be ready to run the pipeline. There are two actions your can perform. Build and Destroy. To kickoff either action, edit either the _build_flag or the _destroy_flag. Once you commit the change, the associated pipeline will start to run. You can view the status of the run by clicking on the "Actions" tab
Here is an example of a build run
Here is the ShiftLeft IAC Scan
Here is the ShiftLeft Container Scan
Expand the Terraform Apply and scroll to the bottom to see the outputs.
To destroy the environment, modify the _destroy_flag.