PSRule: Visualize Infrastructure as Code Maturity
Published Oct 07 2022 02:00 AM 6,539 Views
Microsoft

Introduction

 

Continuing in our PSRule for Azure series, in today’s post, we’re going to look at visualizing Infrastructure as Code (IaC) maturity. DevOps culture has brought the shift left paradigm and the practice of testing code before it’s merged. This is great, however, to review the test results you’d need to look at outputs directly in the CICD pipeline. This is easy for a centralized IaC repository (one Git repository containing templates and parameter files), but if you implement a decentralized module (published templates consumed by projects/teams in separate Git repositories) it can be quite challenging. Regardless of the repository model, the results are stored in the CICD pipeline logs, which are hard to visualize and have a retention period.
 

This article walks through why we need to visualize IAC maturity and how to implement a solution with PSRule for Azure. 


Note: PSRule for Azure only supports ARM templates and Bicep right now.

 

What is IaC?

IaC is reusable files that can be used to provision resources in the Cloud. This provides the ability to incorporate organization standards, best practices, and security for projects using these templates.

 

 

iac-template-flow.png

 

 

There are a few maturity concerns that arise with this:

  • Just because IaC templates deploy, doesn’t mean they are ready for production.
  • There might be existing, unknown gaps in the templates.
  • Are the templates being updated to include new Azure features?

 

Okay, so what framework can we use to scan our IaC maturity against?  The Well Architected Framework of course!

 

Azure Well-Architected Framework

 

At a high level (very high level) the Well-Architected Framework (WAF) is a combination of tools, documentation, Microsoft offerings and reference material correlated by Microsoft over the years.

 

sambell0803_1-1663154102178.png

 

These recommendations are broken down into 5 pillars. I like to remember them by the acronym CROPS.

 

pillars.png

 

WAF contains actionable recommendations for resources and solutions running in Azure. Great, we now know what framework we can use to assess our IaC maturity. Well… What tool can I use that provides recommendations that align with the WAF? The answer is PSRule for Azure!

 

PSRule for Azure

 

PSRule for Azure is an open-source tool that assesses IaC for best practices that align with the Azure WAF. It provides native plug-ins for Azure DevOps, GitHub actions, and VSCode, however, it can run on any CICD system.  For more information on PSRule for Azure (Previous Post).

 

PSRule for Azure can be easily incorporated into an existing CICD system to generate actionable recommendations. These recommendations can be used during the Continuous Integration (CI) phase on a pipeline, to ensure that only high-quality, WAF-aligned, mature code is merged.

 

The following diagram visualizes this feedback loop:

 

psrule-ci.png

 

This is great, our pipelines are assessing our IaC code against WAF, but how can I visualize this? Well, PSRule for Azure provides native integration to publish results to an Azure Log Analytics workspace. To set this up, you can follow the documentation PSRules Log Analytics Integration.

 

Once the integration is set up, the IaC scan results from PSRule are available to be queried and alerted on in Azure.

 

Visualizing IaC Maturity

 

So now we’ve got everything set up, we can start playing around with the data. I started off by trying to answer a few high-level questions:

  • How many GitHub or ADO organizations are we scanning?
  • How frequently are the scans occurring?
  • How many ARM/Bicep modules are in use?
  • Scan outcomes (pass vs fail) overall and by Pillars?

iac-overview-psrule-blog-2.png

 

Okay great, I can see that we’re passing a lot of the rules, but I know the rules are broken down into different severities. What does this view look like?

 

severities-psrule-demo.png


Okay, what about my progress over time:

  • Are we adding more templates?
  • Moving from ARM templates to Bicep?
  • Outcomes overtime?

psrule-demo-overtime.png

 

Okay, that’s a great Overview. But I want to be able to investigate the findings by pillar and rather than just a high-level grouping by each pillar, I want to see the categories of each recommendation.

 

pillar-category-1.png

The category data is amazing for adding context to the findings and it provides the ability to categorize and quantify improvements in specific areas of our IaC. Let's drill into the findings and confirm what resources these findings apply to:

pillar-category-2.png

 

With this Workbook, I now have a way to visualize, report on and quantify my IaC estate. This means I can start creating work tasks and measure our IaC maturity improvements in a qualifiable, visualized manner.

 

Next Steps


Try it yourself! Follow the PSRule Log Analytics integration guide and import the sample workbook to visualize your data. The sample workbook provides all of the queries shown in the examples above.

 

Links

 

Co-Authors
Version history
Last update:
‎Sep 14 2022 05:46 AM
Updated by: