Workload Security
Protect Your Cloud Workloads using IaC
Get step-by-step instructions on how to perform an automated security deployment utilizing Terraform by Hashicorp, an Azure Custom-Script Extension, and a Trend Micro Cloud One™ deployment script stored in an Azure Key Vault.
Save to Folio
So, you are probably starting to migrate workloads out to the cloud. If you are rapidly deploying instances, how do you know that they are protected? Maybe you have started experimenting with Infrastructure as Code (IaC) as a deployment method. Well, look no further my friend. Today, we are going to do an automated security deployment utilizing Terraform from Hashicorp, a Microsoft Azure resource called a Custom-Script Extension, and a Trend Micro Cloud One deployment script stored in an Microsoft Azure Key Vault.
To start, lets get some Terraform going! This is a simple template that will pro grammatically deploy a sample Microsoft Windows 2016:latest server in Microsoft Azure. This is a huge time saver because you don't have to go through the Azure Console and set up all these settings by hand via point and click. All the necessary components are deployed in order. Here is a snippet of the full template being run below. This is showing the section of the Terraform code specifying the Virtual Machine specifics such as publisher, offer, and sku being provisioned from Microsoft Azure as an example. You can also store your Terraform template in a code repo like GitHub for easy access and sharing with your staff for future repeatability.
#Create the Virtual Machine Set VM name Admin username and password from input variables provided by user at runtime
resource "azurerm_virtual_machine" "TerraformSEVM" {
name = "${var.vm_name}"
location = "southcentralus"
resource_group_name = "${azurerm_resource_group.TerraformSE.name}"network_interface_ids = ["${azurerm_network_interface.TerraformSENIC.id}"]
vm_size = "Standard_DS1_v2"
storage_os_disk {
name = "OS"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Premium_LRS"
}
storage_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2016-Datacenter"
version = "latest"
}
Here is the Terraform template above being executed in my local console below. This is automatically building the Azure Virtual Machine, and all necessary components that make up the Virtual Machine.
Once the script runs, you should get a fully provisioned Virtual Machine in Azure you can interact with.
Here is the completed provisioned Virtual Machine in the Microsoft Azure console!
Pretty cool! If you happen to utilize Terraform to provision the network security group as shown below, and create a network security group, you can even RDP the instance!
#Create a Security Group and allow RDP and WinRM for remote management
resource "azurerm_network_security_group" "TerraformSENSG" {
name = "TerraformSENSG"
location = "southcentralus"
resource_group_name = "${azurerm_resource_group.TerraformSE.name}"
security_rule {
name = "RDP"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "3389"
source_address_prefix = "*"
destination_address_prefix = "*"
}
Run terraform apply to apply the security group change.
terraform apply
Here is my associated RDP session after applying this rule!
Next, lets adjust our Terraform script, and utilize the Microsoft Azure custom-script extension property. This is illustrated below.
# Run Deep Security Agent Install with Custom Script Extension which will retrive the SAS URI and token from keyvault securely and proved the connection string to the powershell
#to run
resource "azurerm_virtual_machine_extension" "custom-script" {
resource_group_name = "${azurerm_resource_group.TerraformSE.name}"
location = "southcentralus"
publisher="Microsoft.Compute"
name="DeepSecurityInstall"
type_handler_version="1.9"
type = "CustomScriptExtension" virtual_machine_name = "${azurerm_virtual_machine.TerraformSEVM.name}"
settings = <<SETTINGS
{ "fileUris" : ["${data.azurerm_key_vault_secret.DeepSecurityDeployment.value}"],
"commandToExecute": "powershell -ExecutionPolicy Unrestricted .\\WindowsAgentDeployScript.ps1"
}
SETTINGS
}
This is a secure method of utilizing a provided secret to unlock the Azure Key Vault. This is used in order to retrieve the deployment script stored there, and then run the custom script extension on the Virtual Machine.
But wait?? Where do I get my Trend Micro security deployment script. Good question! This can easily be obtained from your Trend Micro Cloud One console under the support section in the upper right. This is illustrated and shown below.
This deployment script is saved in my Azure Key Vault for secure retrieval.
To apply the custom script extension across your provisioned infrastructure, you can simply use the one liner shown below and all subsequent changes to your IaC.
terraform apply
Here you can see the custom script extension being applied!
Once your deployment is complete, you can go ahead and logon to the Trend Micro console and check your Azure account. Basically, you are wanting to see if the instance is provisioned in the correct resource group, and the deployment was successful.
Well, we accomplished what we started out to do! Utilizing Terraform (IaC), we can automate deployments of servers with templated infrastructure. The same deployment settings can be deployed each and every time. We can also include security along with the process. This can no longer be an afterthought, and we can provide visibility into our cloud based workloads with Trend Micro Cloud One.
References for article:
Microsoft Azure Custom Script Extension:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows
Trend Micro Cloud One Workload Security:
https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-workload-security.html
Hashicorp Terraform:
