SecureOpsFlow - End-to-End Deployment with Notifications and Secure.🚀

✨Introduction

This architecture represents an efficient and secure CI/CD pipeline to improve the development and release process while upholding good code quality, security, and automated approvals. Tools will include GitHub Actions, SonarQube, Docker, and AWS services, all incorporating mechanisms like approval and vulnerability scans using Docker images.

🏗️SecureOpsFlow Architecture

📦SecureOpsFlow Project Setup Prerequisites

• Git with GitHub: Version control system and code repository hosting
• GitHub Actions: Automation tool for CI/CD flow triggered by code changes
• SonarQube: A code quality issue with possible bugs, anti-patterns & security hotspots.
• Docker: A tool for packaging applications into the best possible portable images,
• Docker Compose: A tool used to define and manage multi-container Docker applications
• AWS EC2: Virtual servers in the cloud for hosting and running your Docker containers.
• AWS ECR: A host of Docker registries that provides storage, encryption, and cross-region connectivity.
• AWS CloudFront: A fast, secure, and inexpensive CDN Service that delivers highly secured content quickly.
• GoDaddy: GoDaddy is a site where you can find your website's unique public-facing domain name and register it.

📋Step-by-Step Project Setup and Explanation

🛠️1. Create EC2 Machine for web service deployment

1. Log in to AWS

• Move to the AWS Control Console.
• Open the EC2 Dashboard.

2. Launch Instance

• Continue to Launch Instances for instance type from the "Instances" tab.

3. Instance Configuration.

• Name: Input the name of your instance (e.g.: SecureOpsFlow_Web).
• Instance Type: Choose t2. medium.
• Key pair Create or Select a Key Pair for SSH Access.
• Network Settings: Chose security group.
• Storage: Customize storage (ie 15 GB, or more if needed).

4. Launch the Instance

• Verify your settings, and then choose Launch Instance.

🧩2. Setup a SonarQube on SecureOpsFlow_Web

1. SSH into the EC2 Instance

• Use your terminal to connect to the EC2 instance:

ssh -i "your-key.pem" ubuntu@your-ec2-public-ip

2. Install a Docker and Docker-compose

• Using these commands:

sudo yum update -y
sudo yum install docker -y
sudo service docker start
sudo usermod -a -G docker $USER
sudo curl -L "https://github.com/docker/compose/releases/download/2.25.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

3. Clone the Repository

• Clone your GitHub repository:

git clone https://github.com/TusharGayakwad/SecureOpsFlow.git

• Go into the repository directory:

cd SecureOpsFlow

4. Run Docker Compose

• Now run the command for running Docker Compose:

docker-compose -f SonarQube_Setup_compose.yml up --build -d

Note: After running this command, open a 9000 port in the instance security group to access a SOnarQube container.

6. Verify the Setup

• Check if the containers are up and running:

docker ps

Open a browser and use the EC2 public IP and the configured port for accessing the SonarQube,(e.g., http://:9000 for SonarQube).

7. Configure a Project in SonarQube

• Log in to SonarQube : Open your SonarQube instance (e.g., http://instance_public_ip:9000) and log in using the default password (default: admin/admin, change the password after logging in).

• Create a project : Go to Projects > Create Project.
  (Write a project name and a key that has not yet been used, then click Set Up.)

• Generate a Token : Click on Generate Token, name it (e.g., SecureOpsFlow_Token), and store it in a safe location.

• Select a Scanner : Choose your build tool (e.g. SonarScanner CLI).
  Follow the instructions to download and set up the scanner.

• Add Configuration :
  Update the configuration in the main.yml file(.github/workflows/main.yml) place of the project key, host URL, and log in.

• add a github action secret :
  Go on the github> settings>sacrets and variables>add secrets
  

8. Configure a Project in SonarQube

• Navigate to Quality Gates : From the upper menu choose Quality Gates Press Create and give the name.

• Add Conditions to Quality Gate : Add a condition by pressing Add Condition. This defines the rules for your Quality Gate. For example:

  • Coverage: Coverage is below 80% → FAIL.
  • Bugs: The number of Bugs exceeds 0 → FAIL.
  • Vulnerabilities: The number of Vulnerabilities is greater than 0 → FAIL.
  • Code Smells: Maintainability Rating is below A → FAIL.

• Save the Quality Gate - After adding all the desired conditions, click Save.

9. Apply Quality Gate to your project.

• Go to your project : Click on Projects and select your project.
• Assign the Quality Gate : Go to Administration > Quality Gate. Select the newly created Quality Gate from the list.

10. Update to the developer about the SonarQube quality checks way mail:

If the SonarQube quality check becomes a "FAILED" or "SUCCESS" the pipeline sends a mail to the developer:

• Note: Update the username and secrets as follows:
  • Username: Use your office email.
  • Password: Add a secret named EMAIL_PASSWORD in GitHub Secrets.
  • To: Add a secret named DEVELOPER_EMAIL in GitHub Secrets with the developer's email.
  • From: Add a secret named OFFICIAL_EMAIL in GitHub Secrets with the office email.

3. Build a Docker Image, Scan with Trivy Scanner Tool, and Push to AWS ECR:

• Build a docker image way a docker file:
  

• Scan a docker image way a Trivy:
  Trivy is a lightweight and open-source vulnerability scanner built to find security issues in container images, file systems, and source code repositories. Simple and fast to use, it makes an excellent choice for vulnerability or misconfiguration scanning. Trivy works perfectly with DevOps tools and keeps the checks and your projects secure.

• Send a vulnerability report to the DevOps team:
  
  Note: Go to the GitHub Secrets and add a secret named DEVOPS_GUY_EMAIL with the DevOps team email.

• Configure AWS, Push Images to ECR, and send a final mail to the Manager:

Stage 1: Configuring AWS Credentials

This stage is concerned with configuring the AWS Credentials necessary for performing actions with the ECR Service.
We accomplish this through the aws-actions/configure-aws-credentials action, which accepts inputs due to the following:

• Access Key ID
• Secret Access Key
• Region (ap-south-1)

Note: Log in to AWS Console > Click on User > Go to Security credentials tab > Create Access Key > Download the .csv file.

Stage 2: Logging into ECR and Pushing Docker Image

Log in to Amazon ECR using the amazon-ecr-login action.Tag the Docker image (in this case, it is named secureopsflow) and push it to the ECR repository.
The following commands would achieve this:

docker tag secureopsflow:l atest $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG

Note: Log in to AWS Console > Search ECR > Go to Repositories > Click Create Repository > Enter Repository Name (e.g., secureopsflow) > Click Create → Copy the Repository URI

Stage 3: Sending Notification Email to Manager

The final step in the build stage involves sending an email to the manager once the Docker image is successfully pushed to ECR.

🚀4. Deployment to EC2:

Stage 1:Set up SSH Connection to EC2

Now we need to create a secure SSH connection to the EC2 instance. This is done using the private SSH key stored in a GitHub secret for security purposes.

- name: Set up SSH
uses: webfactory/ssh-agent@v0.5.3
with:
ssh-private-key: ${{ secrets.EC2_SSH_KEY }}

Note: create a secret for the SSH(EC2_SSH_KEY)

Stage 2: Deploy the Application to EC2

Once connected via SSH, you run the deployment commands in the EC2 instance using Docker Compose. The workflow uses the ssh command to log into the EC2 instance and execute deployment commands.

- name: Deploy Application to EC2
  run: |
    ssh -o StrictHostKeyChecking=no ubuntu@${{ secrets.EC2_HOST }} << 'EOF'
    cd /home/ubuntu/SecureOpsFlow
    docker-compose -f compose.yml up -d
    EOF

The stepwise functioning is as follows:

• SSH into the EC2 instance with username ubuntu and the EC2 Host IP stored as secret.
• Change directory to the application folder (/home/ubuntu/SecureOpsFlow).
• Issue the docker-compose up command in the detached mode to start the application. Note: create a secret for the Server IP address(EC2_HOST).

Stage 3: Send Deployment Confirmation Email to the Manager:

The final step of the deployment process sends a confirmation email to the manager upon the deployment's successful completion.

Connect a CloudFront to EC2🌐:

Stage 1: crate Distribution:

In the AWS console, go to CloudFront and create a new distribution:

• Origin Domain: Use your EC2 instance’s public IP or DNS as the origin.
• Cache Behavior: Set up the caching and protocol policies (HTTP or HTTPS) according to your needs.
• Create Distribution: Click Create to set up the distribution.

Stage 2: Update EC2 Security Group:

Allow Traffic: Ensure your EC2 security group allows traffic from CloudFront’s IP ranges.

Configure GoDaddy (If using a custom domain)📝

DNS Settings: In GoDaddy, add a CNAME record to point your domain to the CloudFront distribution URL(https://d1pm7k06iepqhp.cloudfront.net).

---

Thank you for taking the time to read my blog! I hope you found it insightful and engaging. 💡 Your support means a lot to me, and I look forward to sharing more content with you. Stay tuned! 🚀📚

Comments

[Swati Jaiswal]

This is very helpful