Subscribe to the Blog

Get articles sent directly to your inbox.

Over the last few months, we have been quietly working on several features. So I’m thrilled to announce that one of them is now Generally Available. Starting today, Cloudrail supports Terraform users using Azure environments.

What Does This Mean?

  1. As a Cloudrail user, you will be able to use Cloudrail to analyze your Azure Terraform environments for security misconfigurations.
  2. Cloudrail will come with over 70 rules mapping to Azure CIS v1.3.
  3. Cloudrail’s policy-as-code framework extends support for Azure environments.
  4. With Dragoneye now supporting Azure, Cloudrail users can use our Static + Dynamic analysis mode for Azure.

Terraform Security for Azure Environments

Cloudraill will provide over 70 pre-built Azure rules to support your efforts to align with Azure CIS v1.3 benchmark. As always, you control which rules are mandated with our granular policy controls.

Cloudrail will support Terraform security for Azure in two modes: Static Analysis or Static + Dynamic Analysis. Users have asked when to use each method, so I’ve provided a simplified table below to describe which environment should use Static or Static + Dynamic.

We have made a simple comparison of which mode to use based on your environment:

Static Analysis ModeStatic + Dynamic Analysis Mode
Your team manages your entire Azure environment in one terraform stack
Your team relies on multiple terraform stacks or repos to manage your infrastructure and the stacks create resources that reference one another
Parts of your infrastructure are legacy and not managed by your IaC. Your IaC relies on the unmanaged infrastructure.
You need visibility on configuration drifts (currently in Alpha).
You want to address ongoing technical debt, like removing unused resources from IaC.

Extending Policy-as-Code to Azure

Every organization has a unique security requirement in Azure. We want to support custom organization requirements by providing a policy-as-code framework that empowers organizations to manage their security requirements as custom Cloudrail rules.

Related Article  Terraform goes hand in hand with CI/CD

Below is a table of all the resources we support today. If there are additional resources you would like to request for support, you can make a request (open an issue) or upvote a ticket in our GitHub here: https://github.com/indeni/cloudrail-knowledge.

Supported resources:
Resource Groups
MySQL server
SQL Database
Postgres SQL Server
App Service
Function App
Network Security Group
Subnets
Network Interfaces
Virtual Network Gateway
Security Center
Storage Account
Resource Diagnostic Settings
Key Vault

To write your own Cloudrail rules, you can reference our rule writing tutorial here: https://knowledge.docs.cloudrail.app.

Automatic Support for Drift Detection (Alpha)

Many of our users have been asking for drift detection for their cloud infrastructure. With the latest release of Dragoneye, which Cloudrail uses automatically for running Static + Dynamic analysis scans, Cloudrail’s Drift Detection capabilities will automatically support Azure. At the moment, we are undergoing Alpha testing before we release Drift Detection for GA. If you would like to participate, please message me directly (charles at indeni.com). 

What is required to use Cloudrail in my Azure environment?

  1. If you do not have a Cloudrail account, you can do so easily here.
  2. If you only need to use our basic Static Analysis scans, the steps are straightforward. Download Cloudrail CLI and follow the instructions in the wizard to scan your Terraform file.:
  3. If you want to run Static + Dynamic analysis, you will need to configure your Azure account so that Dragoneye can scan your environment. First, you will need to deploy an application in the Azure Active Directory of your Azure subscription at a high level. Once Dragoneye successfully connects to your subscription, you can reference the subscription ID with your Cloudrail scan. Our wizard can guide you through this process:
Related Article  Identifying IAM Configuration Drift
[crop output image]

Terraform Security, Policy-as-Code, Drift Detection for Azure

Extending support for Azure enables multi-cloud organizations to use Cloudrail for additional use cases. With our latest support for Azure, cloud security teams can write policy-as-code for Azure environments, take advantage of our checks that map to CIS v1.3, or alpha test Drift Detection for their Azure environment.