|
1 | 1 | --- |
2 | | -title: Map IaC templates from code to cloud |
3 | | -description: Learn how to map your Infrastructure as Code templates to your cloud resources. |
| 2 | +title: Map Infrastructure as Code templates from code to cloud |
| 3 | +description: Learn how to map your Infrastructure as Code (IaC) templates to your cloud resources. |
4 | 4 | ms.date: 11/03/2023 |
5 | 5 | ms.topic: how-to |
6 | 6 | ms.custom: ignite-2023 |
7 | 7 | --- |
8 | 8 |
|
9 | 9 | # Map Infrastructure as Code templates to cloud resources |
10 | 10 |
|
11 | | -Mapping Infrastructure as Code (IaC) templates to cloud resources ensures consistent, secure, and auditable infrastructure provisioning. It enables rapid response to security threats and a security-by-design approach. If there are misconfigurations in runtime resources, this mapping allows remediation at the template level, ensuring no drift and facilitating deployment via CI/CD methodology. |
| 11 | +Mapping Infrastructure as Code (IaC) templates to cloud resources helps you ensure consistent, secure, and auditable infrastructure provisioning. It supports rapid response to security threats and a security-by-design approach. You can use mapping to discover misconfigurations in runtime resources. Then, remediate at the template level to help ensure no drift and to facilitate deployment via CI/CD methodology. |
12 | 12 |
|
13 | 13 | ## Prerequisites |
14 | 14 |
|
15 | | -To allow Microsoft Defender for Cloud to map Infrastructure as Code template to cloud resources, you need: |
| 15 | +To set Microsoft Defender for Cloud to map IaC templates to cloud resources, you need: |
16 | 16 |
|
17 | | -- An Azure account with Defender for Cloud onboarded. If you don't already have an Azure account, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). |
18 | | -- [Azure DevOps](quickstart-onboard-devops.md) environment onboarded into Microsoft Defender for Cloud. |
| 17 | +- An Azure account with Defender for Cloud configured. If you don't already have an Azure account, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). |
| 18 | +- An [Azure DevOps](quickstart-onboard-devops.md) environment set up in Defender for Cloud. |
19 | 19 | - [Defender Cloud Security Posture Management (CSPM)](tutorial-enable-cspm-plan.md) enabled. |
20 | | -- Configure your Azure Pipelines to run [Microsoft Security DevOps Azure DevOps extension](azure-devops-extension.md). |
21 | | -- Tag your supported Infrastructure as Code templates and your cloud resources. (Open-source tools like [Yor_trace](https://github.com/bridgecrewio/yor) can be used to automatically tag Infrastructure as Code templates) |
22 | | - - Supported cloud platforms: AWS, Azure, GCP. |
23 | | - - Supported source code management systems: Azure DevOps. |
24 | | - - Supported template languages: Azure Resource Manager, Bicep, CloudFormation, Terraform. |
| 20 | +- Azure Pipelines set up to run the [Microsoft Security DevOps Azure DevOps extension](azure-devops-extension.md). |
| 21 | +- IaC templates and cloud resources set up with tag support. You can use open-source tools like [Yor_trace](https://github.com/bridgecrewio/yor) to automatically tag IaC templates. |
| 22 | + - Supported cloud platforms: Microsoft Azure, Amazon Web Services, Google Cloud Platform |
| 23 | + - Supported source code management systems: Azure DevOps |
| 24 | + - Supported template languages: Azure Resource Manager, Bicep, CloudFormation, Terraform |
25 | 25 |
|
26 | 26 | > [!NOTE] |
27 | | -> Microsoft Defender for Cloud will only use the following tags from Infrastructure as Code templates for mapping: |
28 | | -
|
29 | | -> - yor_trace |
30 | | -> - mapping_tag |
| 27 | +> Microsoft Defender for Cloud uses only the following tags from IaC templates for mapping: |
| 28 | +> |
| 29 | +> - `yor_trace` |
| 30 | +> - `mapping_tag` |
31 | 31 |
|
32 | 32 | ## See the mapping between your IaC template and your cloud resources |
33 | 33 |
|
34 | | -To see the mapping between your IaC template and your cloud resources in the [Cloud Security Explorer](how-to-manage-cloud-security-explorer.md): |
| 34 | +To see the mapping between your IaC template and your cloud resources in [Cloud Security Explorer](how-to-manage-cloud-security-explorer.md): |
35 | 35 |
|
36 | 36 | 1. Sign in to the [Azure portal](https://portal.azure.com/). |
| 37 | + |
37 | 38 | 1. Go to **Microsoft Defender for Cloud** > **Cloud Security Explorer**. |
38 | | -1. Search for and select all your cloud resources from the drop-down menu. |
39 | | -1. Select + to add other filters to your query. |
40 | | -1. Add the subfilter **Provisioned by** from the category **Identity & Access**. |
41 | | -1. Select **Code repositories** from the category **DevOps**. |
42 | | -1. After building your query, select **Search** to run the query. |
43 | 39 |
|
44 | | -Alternatively, you can use the built-in template named “Cloud resources provisioned by IaC templates with high severity misconfigurations”. |
| 40 | +1. In the dropdown menu, search for and select all your cloud resources. |
| 41 | + |
| 42 | +1. To add more filters to your query, select **+**. |
| 43 | + |
| 44 | +1. In the **Identity & Access** category, add the subfilter **Provisioned by**. |
| 45 | + |
| 46 | +1. In the **DevOps** category, select **Code repositories**. |
| 47 | + |
| 48 | +1. After you build your query, select **Search** to run the query. |
45 | 49 |
|
46 | | - |
| 50 | +Alternatively, select the built-in template **Cloud resources provisioned by IaC templates with high severity misconfigurations**. |
| 51 | + |
| 52 | +:::image type="content" source="media/iac-template-mapping/iac-mapping.png" alt-text="Screenshot that shows the IaC mapping Cloud Security Explorer template."::: |
47 | 53 |
|
48 | 54 | > [!NOTE] |
49 | | -> Please note that mapping between your Infrastructure as Code templates to your cloud resources can take up to 12 hours to appear in the Cloud Security Explorer. |
| 55 | +> Mapping between your IaC templates and your cloud resources might take up to 12 hours to appear in Cloud Security Explorer. |
50 | 56 |
|
51 | 57 | ## (Optional) Create sample IaC mapping tags |
52 | 58 |
|
53 | | -To create sample IaC mapping tags within your code repositories, follow these steps: |
| 59 | +To create sample IaC mapping tags in your code repositories: |
| 60 | + |
| 61 | +1. In your repository, add an IaC template that includes tags. |
| 62 | + |
| 63 | + You can start with a [sample template](https://github.com/microsoft/security-devops-azdevops/tree/main/samples/IaCMapping). |
| 64 | + |
| 65 | +1. To commit directly to the main branch or create a new branch for this commit, select **Save**. |
| 66 | + |
| 67 | +1. Confirm that you included the **Microsoft Security DevOps** task in your Azure pipeline. |
54 | 68 |
|
55 | | -1. Add an **IaC template with tags** to your repository. To use an example template, see [here](https://github.com/microsoft/security-devops-azdevops/tree/main/samples/IaCMapping). |
56 | | -1. Select **save** to commit directly to the main branch or create a new branch for this commit. |
57 | | -1. Include the **Microsoft Security DevOps** task in your Azure pipeline. |
58 | | -1. Verify that the **pipeline logs** show a finding saying **“An IaC tag(s) was found on this resource”**. This means that Defender for Cloud successfully discovered tags. |
| 69 | +1. Verify that pipeline logs show a finding that says **An IaC tag(s) was found on this resource**. The finding indicates that Defender for Cloud successfully discovered tags. |
59 | 70 |
|
60 | | -## Next steps |
| 71 | +## Related content |
61 | 72 |
|
62 | 73 | - Learn more about [DevOps security in Defender for Cloud](defender-for-devops-introduction.md). |
0 commit comments