Paul K space : Azure Image Factory: an Example First Principles Refinement

Created by Paul Kelleher, last modified on Apr 09, 2023

Define the problem

The client wants to enhance and improve the development process by providing development teams standardised, secure and up to date OS images that they can customise with their required tooling.

The process should allow SecOps to define assurance or hardening in code - without the need to constantly check images and update them.

The business should have confidence that the images used by any group are

  1. updated in a timely manner for all OS components

  2. updated without manual interaction

  3. updated images should automatically upgrade any child process that uses it as a base

Discovery

Stakeholder Buy-In

The request from the client was delivered as part of a statement of work - with direct access to the primary stakeholder for queries

Internally the Azure Practice has also asked for an Azure Component

Metrics and Success

The client request is quite specific around a few points - so lets break down the success indicators

The client wants to enhance and improve the development process by providing development teams standardised, secure and up to date OS images that they can customise with their required tooling.

  • Improve development process
  • development team as a customer
  • standard image components
  • secured images
  • end user customisation option

The process should allow SecOps to define assurance or hardening in code - without the need to constantly check images and update them.

  • standard, repeatable process
  • SecOps as a customer
  • IaC application of hardening
  • Automatically update the image without manual initiation

The business should have confidence that the images used by any group are

  1. updated in a timely manner for all OS components

  2. updated without manual interaction

  3. updated images should automatically upgrade any child process that uses it as a base

  • Business as a reviewer for OS Updates
  • Provenance of automation
  • Updates to any image should cascade down to the end users

From the quick breakdown above, we can identify key requirements that will be measured as deliverables, assurance and provenance for compliance by logging and notifying process runs - and once delivered we can see adoption as it increases

One element that we can have difficulty with is comparing to current processes ..

TO BE COMPLETED

Innovation

Whi

Existing Engineering
  • GitHub
    • GitHub Actions
  • Terraform IaC
  • Azure Platform
  • Azure OS base Images

The existing engineering constrains how the code wil be stored and the CI/CD should leverage the exiting GitHub actions

When we come to breaking down the solution proposition into components, we will come back and check off what we want to use against what is in use

Technology Roadmap

There are no roadmap limitations or restrictions

Fundamental Components Breakdown

process

secure images

standard OS components

images secured by IaC

Images secure princess repeatable

SecOps “hands-off” process

Developers customise installs on OS

Developer images update on OS update

auto OS updates

auto Image update when parent updated

so putting our thoughts into the order we would expect them to be used:

SecOps

SecOps can select a base OS version and apply their OS hardening to a base image (Defining a secure base OS Image) - when the base OS updates, the process will need to re-run - performing all the defined tasks as before, but ion the new OS version. The process should trigger automatically when these updates are available.

Development

Development can select any base OS that has an approved hardening process and install custom development software in addition to carrying out all of the steps above before applying their installations

Component Interactions

2nd Pass breakdown

SecOps

SecOps can select a base OS version and apply their OS hardening to a base image (Defining a secure base OS Image) - when the base OS updates, the process will need to re-run - performing all the defined tasks as before, but ion the new OS version. The process should trigger automatically when these updates are available.

Below Ive shown that once we break down the problem into well enouigh defined components, we can search for existing solutions to find

  • existing solutions and how they achieve the goal

  • platform documentation and learning

  • tooling

SecOps can select a base OS version

  • where do we get the OS image

  • how do we assure it?

  • Platform Image Source
  • OS Publisher Source
  • 3rd Party Pre-secured

as we are using Azure it would be prudent to get the latest updated OS image and use that - and any subsequent updates - to act as the input base OS image

  • Investigate how to get OS image sources and their versions
  • Define an automated process to get the latest OS image version and if it.has changed, to trigger the workflow
and apply their OS hardening to a base image

  • How do we apply updates to the OS image?

    • this depends on the source

  • How do we build an image?

  • How do we allow an image to be consumed?

  • obtain OS - deploy - update - snapshot - package
  • define a cloud-init update process
  • Packer image building (ARM)
  • Packer image building (chroot)

investigate packer running on GitHub actions and via gterraform to apply customisations and output a cuistomised image

iInvestigate the various build modes and output optoons of packert

(Defining a secure base OS Image)

  • How do we define the image in code?

  • What data is needed to get and secure an image?

The business uses terraform to deploy all infrastructure, so using GitHub actions to run terraform - which will contain all the code to deliver the image

  • Build a GitHub repository and workflows to take inputs and apply terraform actions to run the workflow
when the base OS updates

  • How are OS updates communicated?

  • How can we trigger a workflow from an update?

  • How do we version our images?

  • How do we know what updates are on the OS

    the process will need to re-run

    • How do we build OS images?

    • What process is needed to build the image?

      performing all the defined tasks as before, but ion the new OS version

      • How do we flag failures?

      • How do we flag build problems?

        The process should trigger automatically when these updates are available.

        • How do we deliver a new version?

        • How do we publish and allow access to a new version?

        • Do we provide access to old images?

        Tasks Defined

        GitHub repo and workflow to execute terraform

        Execute process to get I age version detail and download

        Process to deploy and apply hardening and other optional installations

        Azure Machine Image Versions and Delivery

        Auto-updating and Versioning

        Tasks displayed in order the expected workflow -labeled with a priority where 1 is highest

        Development

        Development can select any base OS that has an approved hardening process and install custom development software in addition to carrying out all of the steps above before applying their installations

        Attachments:

        Azure Image Factory-tr.png (image/png)