Continuing in our PSRule for Azure series, in today’s post, we’re going to look at visualizing Infrastructure as Code (IaC) maturity. DevOps culture has brought the shift left paradigm and the practice of testing code before it’s merged. This is great, however, to review the test results you’d need to look at outputs directly in the CICD pipeline. This is easy for a centralized IaC repository (one Git repository containing templates and parameter files), but if you implement a decentralized module (published templates consumed by projects/teams in separate Git repositories) it can be quite challenging. Regardless of the repository model, the results are stored in the CICD pipeline logs, which are hard to visualize and have a retention period.
This article walks through why we need to visualize IAC maturity and how to implement a solution with PSRule for Azure.
Note: PSRule for Azure only supports ARM templates and Bicep right now.
What is IaC?
IaC is reusable files that can be used to provision resources in the Cloud. This provides the ability to incorporate organization standards, best practices, and security for projects using these templates.
There are a few maturity concerns that arise with this:
- Just because IaC templates deploy, doesn’t mean they are ready for production.
- There might be existing, unknown gaps in the templates.
- Are the templates being updated to include new Azure features?
Okay, so what framework can we use to scan our IaC maturity against? The Well Architected Framework of course!
Azure Well-Architected Framework
At a high level (very high level) the Well-Architected Framework (WAF) is a combination of tools, documentation, Microsoft offerings and reference material correlated by Microsoft over the years.
These recommendations are broken down into 5 pillars. I like to remember them by the acronym CROPS.
WAF contains actionable recommendations for resources and solutions running in Azure. Great, we now know what framework we can use to assess our IaC maturity. Well… What tool can I use that provides recommendations that align with the WAF? The answer is PSRule for Azure!
PSRule for Azure
PSRule for Azure is an open-source tool that assesses IaC for best practices that align with the Azure WAF. It provides native plug-ins for Azure DevOps, GitHub actions, and VSCode, however, it can run on any CICD system. For more information on PSRule for Azure (Previous Post).
PSRule for Azure can be easily incorporated into an existing CICD system to generate actionable recommendations. These recommendations can be used during the Continuous Integration (CI) phase on a pipeline, to ensure that only high-quality, WAF-aligned, mature code is merged.
The following diagram visualizes this feedback loop:
This is great, our pipelines are assessing our IaC code against WAF, but how can I visualize this? Well, PSRule for Azure provides native integration to publish results to an Azure Log Analytics workspace. To set this up, you can follow the documentation PSRules Log Analytics Integration.
Once the integration is set up, the IaC scan results from PSRule are available to be queried and alerted on in Azure.
Visualizing IaC Maturity
So now we’ve got everything set up, we can start playing around with the data. I started off by trying to answer a few high-level questions:
- How many GitHub or ADO organizations are we scanning?
- How frequently are the scans occurring?
- How many ARM/Bicep modules are in use?
- Scan outcomes (pass vs fail) overall and by Pillars?
Okay great, I can see that we’re passing a lot of the rules, but I know the rules are broken down into different severities. What does this view look like?
Okay, what about my progress over time:
- Are we adding more templates?
- Moving from ARM templates to Bicep?
- Outcomes overtime?
Okay, that’s a great Overview. But I want to be able to investigate the findings by pillar and rather than just a high-level grouping by each pillar, I want to see the categories of each recommendation.
The category data is amazing for adding context to the findings and it provides the ability to categorize and quantify improvements in specific areas of our IaC. Let’s drill into the findings and confirm what resources these findings apply to:
With this Workbook, I now have a way to visualize, report on and quantify my IaC estate. This means I can start creating work tasks and measure our IaC maturity improvements in a qualifiable, visualized manner.
Try it yourself! Follow the PSRule Log Analytics integration guide and import the sample workbook to visualize your data. The sample workbook provides all of the queries shown in the examples above.