Set up your DevSecOps infrastructure and CI toolchain for deploying a secure app

Use this tutorial for automated setup and provisioning of the infrastructure for your CI and CD toolchains by using a Terraform-based quick start template. The template uses DevSecOps best practices of compliance and security. The template uses an IBM Cloud® Schematics workspace, which automates the creation of the required infrastructure for securely deploying your app to either Kubernetes or Red Hat® OpenShift®. The template uses the DevSecOps IBM Cloud® Continuous Delivery toolchain pipeline structure. The toolchain is preconfigured for continuous delivery with inventory integration, change management, evidence collection, and deployment.

IBM Cloud Schematics delivers Terraform-as-a-Service so that you can use a high-level scripting language to model the resources that you want in your IBM Cloud environment, and enable Infrastructure as Code (IaC). Terraform is open source software that is developed by HashiCorp. Terraform enables predictable and consistent resource provisioning to rapidly build complex, multitier cloud environments.

In this tutorial, you follow three easy steps to create a Schematics workspace, apply a Terraform execution plan, and update the environment properties value. When you apply the plan, the Schematics workspace sets up your secure infrastructure. This infrastructure is shareable with your team, and it works for the DevSecOpsA methodology that integrates security practices with the software development and operations lifecycle. The goal of the merge is to prioritize the balance of development speed and security. CI and CD toolchain templates.

The automated infrastructure setup creates resources that are automatically provisioned by using the default values from the DevSecOps CI and CD templates. You can find the default values in the Variables section of the Schematics workspace. The following resources are created:

A cluster in IBM Cloud® Kubernetes Service or Red Hat OpenShift on IBM Cloud.
A standard IBM Cloud Object Storage instance and bucket.
IBM Cloud® Secrets Manager. Note that only one Secrets Manager instance is permitted. If you already have a Secrets Manager service, be sure to override the sm_service_name default value in step 2.
GPG image signing key.
A fully functional DevSecOps CI toolchain that builds, tests, and deploys a sample Node.js application by using DevSecOps best practices of compliance and security.

Before you begin

To complete this tutorial, use a Pay-As-You-Go or Subscription IBM Cloud account where you are the owner or have full Administrator access. If you already have an IBM Cloud account and need to upgrade it, see Upgrading your account.
Install the IBM Cloud CLI if you want to interact with elements of the toolchain or infrastructure after they are created.
Obtain a GitLab Personal Access Token. Enter a name for your personal access token. Create your token in the same region as your CI toolchain. Be sure to copy and save the token because you need it later, and you cannot access it again.
Create an IBM Cloud API key. Be sure to copy and save or download the API key value because you need it later, and you cannot access it again.

Create a Schematics workspace

Click one of the following options for the cluster deployment target. This action takes you to the Deploy to IBM Cloud page where you create a Schematics workspace. Complete the required fields on that page, and then click Next.

Based on which option you select, the corresponding Terraform template from this repository is automatically imported into the new Schematics workspace.
Verify the information, and then click Create. The Schematics workspace is created, and the Settings page for the Schematics workspace is displayed.

Apply the Terraform execution plan

In the Variables section of the Schematics Settings page, enter the values for each variable. Required fields don't have default values. You can override default values.

If you override the sm_service_name value, the Terraform execution plan uses the existing resource instead of creating a new resource.
For the gitlab_token variable, enter the personal access token that you obtained previously.
For the ibmcloud_api_key variable, enter the IBM Cloud API key that you obtained previously.
For the registry_namespace variable, enter a container registry namespace value. To create a namespace, see Container Registry Namespaces.
For the kube_version variable, run: ibmcloud ks versions on a command line to see available versions.
Optional. If you already have a Secrets Manager instance, enter it name for the sm_service_name variable. Otherwise, don't change this variable.
Optional. If you want to adjust the size or location of your cluster, you can override the following variables: datacenter, default_pool_size, machine_type, hardware, public_vlan_num, or private_vlan_num (the default values are for the dal12/us-south datacenter).
Optional. Click Generate plan. This action creates a Terraform execution plan and checks your configuration for syntax errors. On the Schematics Jobs page, you can review log files for errors and IBM Cloud resources that must be created, modified, or deleted to achieve the correct state of the Terraform template.
After you enter all the values for the variables and are satisfied with the changes, click Apply plan to run your infrastructure code.

This step takes some time to complete (usually 20 - 30 minutes, but it can take longer), due to the creation of a new Kubernetes or OpenShift cluster.
On the Schematics Jobs page, you can view the log by expanding the job name.
After the plan is applied, view the URL to the generated IBM Cloud DevSecOps CI toolchain. The URL is located near the end of the log file on a line that begins with View the toolchain at:.

If you apply your plan a second time, the previously created Kubernetes or OpenShift cluster and any applications that are deployed to it are deleted, and a new cluster is created. However, if you override the default cluster name, that cluster is used.

Deploy the app

Follow these steps to run the pipeline.

Go to your newly created DevSecOps CI toolchain.
Click the Git tile that starts with compliance-app.
To trigger the pr-pipeline, update some text in the README.md file, and then start a PR against the main branch.
In the Target Branch field, change the branch name from main to something else. For example, mybranch.
Ensure that the "Start a new merge request with these changes" checkbox is selected.
Click Commit changes.
Optional. On the New merge request page, add a description.
Click Create merge request.

The pr-pipeline in the ci-toolchain is triggered. Verify that the pipeline is running by completing these steps:

Return to your CI toolchain, and click the Delivery Pipeline tile for your pr-pipeline. On the pr-pipeline Dashboard page, you can see the pr-pipeline running.
To view the progress, click the pr-pipeline link.

Figure 1. pr-pipeline Dashboard

Notes:

If any vulnerabilities are found, then the code-pr-finish step fails.
To find the vulnerabilities, go to the code-unit-tests > run-stage to view the logs. (screenshot)
Solve the vulnerabilities, and then the pr-pipeline is triggered.
Go back to the app repo tile.
In the nav pane, click Merge requests.
Select the PR.
Optional. Click the Approve button (If not you see an error at the end of the ci-pipeline run).
Select "Delete source branch."
Click Merge.

Merging this PR automatically triggers the ci-pipeline. To verify, go back to the ci-pipeline tile in the toolchain and verify that the pipeline is running. Click the pipeline link to see the progress.

This step deploys the app to the newly created cluster. The Application URL can be found at the bottom of the log file in the deploy-dev > run-stage step of the ci-pipeline.

Next steps

Continue to the "Explore your CI toolchain" section of the next tutorial, and run the CI-PR and CI pipelines. Then, continue through the remainder of the steps in that tutorial to deploy a secure app.

At any time, you can view all the resources that were created with this tutorial by clicking the Menu icon Menu icon and selecting Resource list. You can view your Schematics workspace, cluster, IBM Cloud Object Storage instance, Secrets Manager service, continuous delivery service, and toolchain.