case study

DevSecOps Pipeline

Creating a security focussed pipeline using company standard tooling.

Luminus devops, devops

The Brief

The infrastructure deployment to AWS at Luminus required a security focussed pipeline using company standard tooling – Terraform code
scanned by Tenable to deploy security approved infrastructure every time.

Automated & Secure Infrastructure Deployment

Deploying infrastructure at Luminus needed to be automated while ensuring the resources created aligned with the company security standards and AWS best practices.
Creating GitLab runners on AWS infrastructure created a secure system to deploy Infrastructure-as-Code through automation while
maintaining control of the environment running the terraform. This foundation of standardised GitLab pipelines allowed integration with Tenable. All code on deployment is scanned for any security violations outside Luminus standards and the AWS best practice frameworks.

GitLab & AWS Security

The Tenable integration with GitLab provides a system for developers to have their IaC scanned and any issues immediately raised within GitLab which the developer can review and remediate immediately. This not only helps developers ensure what they are deploying is up to standard but also prevents any unsuitable code from going live.

GitLab & AWS Secruity

In Production and Acceptance environments pipelines will be blocked from running if any detected violations are categorised as high risk.

AWS Security

High violations force a failure of the pipeline until the code is updated to resolve the issues created in the GitLab repository.

High violations force a failure of the pipeline until the code is updated to resolve the issues created in the GitLab repository.

Keeping this segregation of duties ensures a divide between the developer and the security tools while allowing for quick remediation as the developer can scan code, check issues and fix issues all through an automated process without any need to have access to security tools or any involvement of security personnel.

GitFlow Workflow Overview

The pipelines leverages the GitFlow workflow with automated pipelines for AWS resource deployment.

The GitLab access is split into three levels:

Access Role
Purpose

1.

Owner

Full access to all GitLab and pipeline features

2.

Maintainer

Full code push, merging and pipeline access.

3.

Developer

Full code access but can’t merge to the main branch – only submit for approval to Maintainer/Owner.

The roles are attached to AD groups for SSO; all authentication and access controlled through Luminus AD controls.

General GitFlow overview with GitLab pipeline

GitLab Pipeline
The Main Branch:
The Develop Branch(es):
The GitLab Pipeline:
Gitflow workflow:

Automated Security Scanning

Code goes through security scanning before GitLab pipeline deploys infrastructure. The pipeline is integrated with Tenable which checks the code against the Tenable Cloud Security Policies and the AWS Well-Architected Framework.

security scanning

Remediation and Deployment of Infra via Terraform

The GitLab pipeline performs the following steps:
On merge to protected branch - show an exception that is AWS Specific, e.g. rdp access from anywhere!
AWS Specific

DevSecOps Benefits

Meet the Team

Moldir Baimagambetova,
Consultant and DevOps Engineer

Moldir oversees the creation, testing, and enhancement of the Terraform code necessary for establishing the Aligne infrastructure. She has also connected the Terraform GitLab code repositories to GitLab DevSecOps pipelines, guaranteeing the detection of any security weaknesses prior to the actual infrastructure deployment.

Scott is responsible for the build and support of the GitLab pipeline configuration used to deploy infrastructure at Luminus.
He created a standardised format for the DevSecOps pipeline to ensure both Application and Security teams could get what they needed for automated IaC deployments.

Scott NOON
Scott Noon,
Consultant & DevOps Engineer
Moldir Baimagambetova,
Consultant and DevOps Engineer

Moldir oversees the creation, testing, and enhancement of the Terraform code necessary for establishing the Aligne infrastructure. She has also connected the Terraform GitLab code repositories to GitLab DevSecOps pipelines, guaranteeing the detection of any security weaknesses prior to the actual infrastructure deployment.

Scott NOON
Scott Noon,
Consultant & DevOps Engineer

Scott is responsible for the build and support of the GitLab pipeline configuration used to deploy infrastructure at Luminus.
He created a standardised format for the DevSecOps pipeline to ensure both Application and Security teams could get what they needed for automated IaC deployments.