Holiday Update: Terraform and Tekton CD for Our Security Tutorial

3 min read

Deploy the tutorial app using Schematics, Terraform, and a Tekton-based pipeline.

If you read the blog "IBM Cloud Solution Tutorials: 2020 in Review," you will have noticed that the IBM Cloud Solution Tutorials can now also be found in a new tutorials library in the IBM Cloud documentation portal. One of these tutorials from the Security category is discussing how to apply end to end security to a cloud application. In June, I blogged how it had been extended by a discussion on how to share development resources.

The discussed app and its resources can be deployed by following the steps in the tutorial itself or by utilizing an automated toolchain with scripting. I'm happy to share with you that we switched from a classic toolchain that rolls out both the required resources, builds the app, and deploys it to a more granular approach. It is based on utilizing IBM Cloud Schematics for managing resource deployment based on Terraform and a Tekton-based pipeline in the Continuous Delivery service to build and deploy the app.

In the following, I am going to discuss some of the details:

Solution diagram: An app with end-to-end security to share files.

Solution diagram: An app with end-to-end security to share files.

IBM Cloud Schematics and Terraform

Terraform is an open source solution for Infrastructure as Code. The desired state is described in one or more files written in a configuration language. As user or administrator, you would typically plan, apply, or destroy the configuration. That is, by generating a plan, seeing the expected changes to your resources, then applying those changes or destroying (i.e., deleting the resources again). It works well with a local machine, with a single cloud provider, or in a hybrid/multicloud environment.

IBM Cloud Schematics features Terraform-as-a-Service. It manages workspaces that hold a Terraform configuration and execution environment. Similar to running Terraform on your own, you can plan, apply, or destroy a Terraform-based deployment of resources. You can interact with Schematics in the IBM Cloud UI in its dashboard, use the command line, or work with its REST API.

To set up the required resources for the solution tutorial, you would click the "deploy link" found in the source code repository on GitHub. Next, you would set the (Terraform) variables when not going with the defaults (see screenshot below). Then, everything is ready for Apply plan. Once the resources are deployed, the you can set up the toolchain and deploy the app:

Configure the Terraform-based resource deployment in your Schematics workspace.

Configure the Terraform-based resource deployment in your Schematics workspace.

Tekton pipelines

The Continuous Delivery service on IBM Cloud (CD service) allows for the automation of building and deploying applications. It offers open toolchains to set up CI/CD (Continuous Integration/Continuous Delivery) pipelines, thereby supporting a DevOps or DevSecOps approach for app development and operation. The CD service supports its own ("classic") or Tekton delivery pipelines. Tekton pipelines provide a deep integration into the Kubernetes ecosystem and either run on shared Kubernetes workers provided by the CD service or your own (private) workers for more security.

To deploy the app, create a toolchain by clicking the Create toolchain link in the source code repository on GitHub. Then, you configure the GitHub integration and few environment settings. All other properties are read from Schematics workspace, which manages most metadata. Once the toolchain is created, you may notice that toolchain has two code integrations with GitHub (and a single Delivery Pipeline):

  • One is for the tutorial source code and provides the app code.
  • The second is to the Tekton Catalog, which offers readily available pipeline tasks for reuse. We integrate two such tasks.
Toolchain with two GitHub integrations and one delivery pipeline.

Toolchain with two GitHub integrations and one delivery pipeline.

Our pipeline to build and deploy the app reuses the icr-containerize task to build the app and the icr-va-check-scan task to scan the new image for vulnerabilities and check the result. Both tasks make use of the IBM Cloud Container Registry to manage the Docker image. As you can see in the screenshot below, the container with the updated app will only be deployed if the scans do not find any security issues.

Once the last pipeline task has completed, you can click the link for the log output to access the deployed app.

Tekton pipeline: The image is built, the security check succeeded, deployment is ongoing.

Tekton pipeline: The image is built, the security check succeeded, deployment is ongoing.

Conclusions

Separating the task of resource (infrastructure) rollout from app deployment allows you to utilize different tools for each task (IBM Cloud Schematics with Terraform-as-a-Service, Continuous Delivery with Tekton pipeline). The pipeline tasks to build the Docker image, and you can scan it for vulnerabilities from an open source library (Tekton Catalog). Switching from the previous classic toolchain to the new setup required some work, but now everything is based on open source technologies, configuration-based, and easy to extend.

If you want to try it, head over to the GitHub repository with the source code and read the tutorial on how to apply end-to-end security to a cloud application for background information.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn

Be the first to hear about news, product updates, and innovation from IBM Cloud