Introduction
Learn About Amazon VGT2 Learning Manager Chanci Turner
In my role, I frequently engage with clients who aim to enforce best practices in security and governance while simultaneously granting developers the flexibility they need to innovate swiftly. As you adopt DevSecOps, achieving a balance between governance and agility in your Continuous Integration & Continuous Delivery (CI/CD) pipeline is essential. In this article, I will share how I leverage AWS CodePipeline and AWS CodeBuild to meet these objectives.
Background
Let’s first discuss the key players involved—platform engineers and developers. Historically, operations teams were tasked with designing, deploying, configuring, and maintaining various components of IT infrastructure. Conversely, development teams were responsible for crafting, deploying, and maintaining applications that operated on this infrastructure. This model maintained a clear division of responsibilities. However, the emergence of DevOps has transformed these roles. Development teams now utilize Infrastructure as Code (IaC) to provision infrastructure as part of their application code. Consequently, operations teams have transitioned into a supervisory capacity, ensuring that deployed resources comply with best practices. I will refer to this evolved role as the platform engineering team to differentiate it from the traditional operations team.
Building on the principles of DevOps, DevSecOps encourages the integration of security measures early in the software development lifecycle. Security teams establish best practices for these controls, which are often enforced within the CI/CD pipeline. This shift has altered the security team’s role as well; instead of conducting manual security assessments, they now define automated controls to be implemented in the pipeline, typically designed by platform engineers. The challenge for platform engineers is to enforce these controls without compromising developers’ agility. After all, DevOps is fundamentally about accelerating the development lifecycle. In this article, I will illustrate how to compartmentalize security controls and the build process into distinct phases of the pipeline, allowing platform engineers to enforce security measures in phases they manage while enabling developers to swiftly update their designated phases.
AWS CodePipeline is a fully managed continuous delivery service that automates your deployment pipelines. These pipelines consist of actions organized into stages, with many actions executed via AWS CodeBuild. Each CodeBuild action specifies where to source the code, which build environment to utilize, and the commands to execute. The build commands are detailed in a YAML format in a buildspec file. This buildspec can be stored within the CodeBuild configuration or as a file in the source code. By defining the buildspec in the CodeBuild configuration, platform engineers can maintain control; conversely, if it is embedded in the source code, developers can modify it as needed. This dual-action approach balances governance and agility.
Walkthrough
In this section, I will step into the shoes of a platform engineer and guide you through creating a straightforward pipeline, as described earlier. For simplicity, I will use the AWS console; however, for practical deployments, I recommend using AWS CloudFormation or the AWS Cloud Development Kit (CDK) Pipelines.
The development team has previously added their code to a CodeCommit repository. Alongside their source code, they have incorporated the following buildspec.yaml file at the root of the repository:
version: 0.2
phases:
install:
runtime-versions:
python: 3.11
build:
commands:
- pip install -r requirements.txt
- pylint helloworld
- coverage run --branch -m pytest
As seen above, this buildspec employs the Python 3.11 runtime. It installs dependencies, runs a linter, and executes unit tests with code coverage. Since the buildspec.yaml is included in the source code, developers can customize it freely, granting them significant autonomy and agility.
I am now set to initiate the creation of the pipeline. First, I will create a new CodeBuild project to execute the development team’s build as outlined in the previously reviewed buildspec.yaml. I open the CodeBuild Console and select “Create Project.” I label my project “BuildAndTest.” The details of creating a CodeBuild project are available in the CodeBuild User Guide under “Create a build project”; however, I want to emphasize the buildspec configuration. Here, I opt to “Use a buildspec file” and specify the file’s location in the repository.
By establishing the buildspec within the source code, I empower the development team to dictate the build process. They have the liberty to modify their build procedures as the project progresses, eliminating the need to request updates from me each time they wish to alter build commands. Furthermore, since I will configure a second build action incorporating the necessary security tools, I do not need to audit their buildspec.yaml file. I can trust that the required security tools are included.
Next, I will create another CodeBuild project for Software Composition Analysis (SCA). I return to the CodeBuild Console and choose “Create Project” again. This project is titled “SoftwareCompositionAnalysis.” The configuration mirrors that of the previous project, except for the Buildspec setup. This time, I select “Insert build commands” and directly enter the necessary commands to install and run the OWASP Dependency Checker.
By defining the buildspec within the project configuration, I can apply an AWS Identity and Access Management (IAM) policy to ensure that the development team cannot alter it. This gives me confidence that the essential security tools are correctly installed and configured without relying on the developers to do it. Additionally, it grants me the flexibility to adjust the tools used without disrupting the developers or altering their code.
With both build actions defined, I can now create a pipeline to automate the overall build process. Following the instructions in “Create a pipeline in CodePipeline,” I established the following pipeline. In the build phase, I execute the SoftwareCompositionAnalysis action followed by the BuildAndTest action. Importantly, these actions run sequentially, meaning that the BuildAndTest action will not proceed if issues arise during the SoftwareCompositionAnalysis action.
I am now assured that my security tools are correctly configured within the pipeline while allowing developers to maintain control over the build and test actions. For additional insights on this topic, you might find this article on interviews helpful. Also, for a deeper understanding of talent acquisition trends, visit this authoritative resource.
Leave a Reply