Tag: Infrastructure as Code

DevSecOps Comeback: A Beginner-Friendly 30-Day Guided Lab
DevSecOps at Payforward. AWS pipelines. Security built into every deployment.

DevSecOps may sound complex, but at its core it is simple:
- Write code
- Store it in Git
- Automate build and test
- Scan for vulnerabilities
- Deploy securely
This guide walks step by step, assuming only basic familiarity with Git, Azure, YAML, and Python.

No assumptions. No shortcuts.

Before Starting: Required Foundations

1. Basic Git Understanding

Git is version control.

Think of it as a time machine for code.

Common commands:
```
git init
git add .
git commit -m "Initial commit"
git push
```
What this means:
- git init creates a repository
- git add . stages changes
- git commit saves a snapshot
- git push sends changes to Azure DevOps or GitHub
In DevSecOps, Git is the source of truth.

If it’s not in Git, it doesn’t exist.

2. Basic Azure Comfort

In Azure DevOps, there are:
- Repos (code lives here)
- Pipelines (automation runs here)
- Artifacts (build output stored here)
The workflow:

Code → Push → Pipeline Runs → Security Checks → Artifact Produced

No manual deployments.

3. Understanding YAML (Very Important)

YAML is just structured configuration.

Example:
```
trigger:
  branches:
    include:
      - main
```
This simply means:

“When code is pushed to main branch, run the pipeline.”

Another example:
```
pool:
  vmImage: windows-latest
```
This means:

“Use a Microsoft-hosted Windows machine to run tasks.”

YAML is not programming.
It is instructions.

Indentation matters.
Spacing matters.
No tabs.

4. Light Python Example

Create a simple app.

app/app.py
```
from flask import Flask

app = Flask(__name__)

@app.get("/")
def home():
    return "Secure automation is running"

if __name__ == "__main__":
    app.run(host="0.0.0.0", port=8080)
```
requirements.txt
```
flask==3.0.3
```
Simple. Clean. Testable.

The DevSecOps Analogy: Snake and Eagle

In nature, a snake can overpower an eagle by wrapping tightly and applying controlled pressure.

In DevSecOps:
- The eagle represents risk, exposure, and vulnerabilities.
- The snake represents automation, discipline, and enforcement.
Manual processes allow risk to fly freely.

Automated pipelines wrap around code changes, applying consistent pressure:
- Tests must pass.
- Vulnerabilities must be scanned.
- Secrets must not leak.
Automation constrains risk.

That is DevSecOps.

Week 1: Build and Test Pipeline

azure-pipelines.yml
```
trigger:
  branches:
    include:
      - main

pool:
  vmImage: windows-latest

variables:
  PythonVersion: "3.11"

steps:
- task: UsePythonVersion@0
  inputs:
    versionSpec: "$(PythonVersion)"
    addToPath: true

- powershell: |
    python -m pip install --upgrade pip
    pip install -r app/requirements.txt
    pip install pytest
  displayName: Install dependencies

- powershell: |
    pytest -q
  displayName: Run tests

- powershell: |
    pip install pip-audit
    pip-audit -r app/requirements.txt
  displayName: Dependency vulnerability scan

- task: PublishBuildArtifacts@1
  inputs:
    PathtoPublish: "$(Build.SourcesDirectory)"
    ArtifactName: "drop"
```
What this does:
1. Installs Python
2. Installs dependencies
3. Runs tests
4. Scans for vulnerabilities
5. Publishes artifact
That is secure automation.

Week 2: Secrets and Azure Key Vault

Never store passwords in code.

Instead:
- Create Azure Key Vault
- Store secret there
- Use service connection
- Pull secret during pipeline run
This ensures:

No plaintext secrets.
No hardcoded credentials.
No manual copy-paste errors.

Week 3: Infrastructure as Code

Choose Bicep.

Example:
```
resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: 'devsecopslabstorage'
  location: resourceGroup().location
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
}
```
Infrastructure becomes code.
Code becomes version-controlled.
Version-controlled systems become predictable.

Week 4: Containerization

Dockerfile example:
```
FROM python:3.11-slim
WORKDIR /app
COPY app/requirements.txt .
RUN pip install -r requirements.txt
COPY app .
CMD ["python", "app.py"]
```
Push image to Azure Container Registry.
Deploy through pipeline.

Now the system is portable, secure, and repeatable.

Final Perspective

DevSecOps is not about complexity.

It is about control.

Manual deployment allows risk to fly.
Automation constrains risk.

The snake does not move randomly.
It moves deliberately.

Secure pipelines do the same.

Begin small.
Automate consistently.
Enforce security early.

Edge returns with repetition.

© 2012–2026 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
February 24, 2026
Terraform Made Simple, your first working configuration from install to Azure access
Introduction
Infrastructure as Code is not optional anymore. Terraform gives you a declarative way to build, modify, and destroy cloud resources cleanly. This tutorial shows exactly how to install Terraform, create your first configuration, and connect it to Azure without affecting your company’s production environment. I used these steps to rebuild my own skills after leaving California and stepping into Utah’s quiet season of learning.

Step 1
Install Terraform using Winget
1. Open PowerShell as admin
2. Run the installer
  winget install HashiCorp.Terraform –source winget
3. Restart your PowerShell window
4. Verify the installation
  terraform -version
You should see something like
Terraform v1.14.0

Step 2
Create your Terraform workspace
1. Create a folder
  mkdir C:\terraform\test1
2. Go inside the folder
  cd C:\terraform\test1
3. Create a new file
  New-Item main.tf -ItemType File
Leave the file empty for now. Terraform just needs to see that a configuration file exists.

Step 3
Write your first Terraform configuration

Open main.tf and paste this:

provider “azurerm” {
features {}
}

Nothing created yet. This is read only.

The goal is to connect Terraform to Azure safely.

Save the file.

Step 4
Initialize Terraform

Run
terraform init

This downloads the AzureRM provider and sets up your working directory.

You should see
Terraform has been successfully initialized

Step 5
Install the Azure CLI

Terraform connects to Azure using your Azure CLI login. Install it with:

winget install Microsoft.AzureCLI

Verify it
az –version

Step 6
Log into Azure

Run
az login

A browser opens. Select your Azure account.

Important note
If you see Martin’s Azure subscription, stop here and do not run terraform apply.
Terraform plan is safe because it does not make changes.

Step 7
Check your Azure subscription

az account show

This confirms who you are logged in as and which subscription Terraform will use.

Step 8
Run your first Terraform plan

terraform plan

This reads your main.tf and checks for any required changes.
Since your config is empty, the output will say:
No changes. Infrastructure is up to date.

Step 9
Useful Azure CLI commands for Cloud Engineers

Check all resource groups
az group list -o table

Check all VMs
az vm list -o table

Check storage accounts
az storage account list -o table

Check virtual networks
az network vnet list -o table

Check VM status
az vm get-instance-view –name VMNAME –resource-group RGNAME –query instanceView.statuses[1].displayStatus

Check Azure AD users
az ad user list –filter “accountEnabled eq true” -o table

Check your role assignments
az role assignment list –assignee <your UPN> -o table

These commands show LC that you are comfortable with both Terraform and Azure CLI.

Step 10
Can Terraform check Defender?

Terraform itself does not “check” Defender, but you can manage Defender settings as resources.

For example:

azurerm_security_center_contact
azurerm_security_center_subscription_pricing
azurerm_security_center_assessment
azurerm_defender_server

Meaning
Terraform is for configuration
Azure CLI is for inspection
Graph / PowerShell is for deep security reporting

If LC wants real Defender reporting, we use:

Connect-MgGraph
Get-MgSecurityAlert
Get-MgSecuritySecureScore

You already know these.

Step 11
Cleaning up safely

Since we did not deploy anything, no cleanup is required.

If you later create real resources, destroy them with
terraform destroy

Final thoughts
Terraform is one of the most powerful tools in cloud engineering. Once you know how to initialize it, authenticate with Azure, and run plans, you are already ahead of many engineers who feel overwhelmed by IaC. LC will immediately see that you are not just an Exchange guy or a VMware guy. You are becoming a modern DevOps cloud engineer who can manage infrastructure in code.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 26, 2025

Terraform for M365 & Azure (With Real Examples)

Title:

Terraform for M365 and Azure — Infrastructure-as-Code Made Simple

Introduction

Terraform is one of the most powerful tools for managing cloud environments because it lets you declare what you want and Azure builds it. No guessing. No clicking. No forgetting what you changed.

Even if M365 doesn’t support Terraform natively for all workloads, you can still automate Azure AD, Conditional Access, Groups, SPNs, Networking, Key Vault, and App Registrations through the Microsoft Graph provider.

I used IaC principles while supporting Church systems — Terraform makes environments repeatable, auditable, and consistent.

1. Installing Terraform

choco install terraform

2. Azure Login Block

provider "azurerm" {
  features {}
}

provider "azuread" {
}

3. Creating an Azure Resource Group

resource "azurerm_resource_group" "rg1" {
  name     = "M365AutomationRG"
  location = "WestUS2"
}

4. Creating an Azure AD Group

resource "azuread_group" "security_group" {
  display_name     = "M365-Automation-Admins"
  security_enabled = true
}

5. Creating an App Registration + Secret

resource "azuread_application" "app" {
  display_name = "Terraform-Automation-App"
}

resource "azuread_service_principal" "sp" {
  application_id = azuread_application.app.application_id
}

resource "azuread_application_password" "sp_secret" {
  application_object_id = azuread_application.app.id
  display_name          = "secret1"
}

6. Conditional Access via Terraform (Yes, possible!)

Uses the Microsoft Graph Terraform provider.

resource "msgraph_conditional_access_policy" "block_non_us" {
  display_name = "Block Non-US IP"
  state        = "enabled"

  conditions {
    users {
      include_users = ["all"]
    }
    locations {
      include_locations = ["All"]
      exclude_locations = ["US"]
    }
  }

  grant_controls {
    operator         = "OR"
    built_in_controls = ["block"]
  }
}

7. Create an M365 Group (Unified Group)

resource "msgraph_group" "m365_group" {
  display_name     = "Engineering Team"
  mail_nickname    = "engineering"
  security_enabled = false
  mail_enabled     = true
  group_type       = ["Unified"]
}

8. Create Azure Key Vault

resource "azurerm_key_vault" "kv" {
  name                = "m365-keyvault-prod"
  location            = azurerm_resource_group.rg1.location
  resource_group_name = azurerm_resource_group.rg1.name
  tenant_id           = data.azuread_client_config.current.tenant_id
  sku_name            = "standard"
}

Conclusion

Terraform is the “blueprint” of modern cloud administration.
Clicking creates inconsistencies — IaC creates reliable, repeatable deployments.

November 25, 2025

Tag: Infrastructure as Code

DevSecOps Comeback: A Beginner-Friendly 30-Day Guided Lab

Before Starting: Required Foundations

1. Basic Git Understanding

2. Basic Azure Comfort

3. Understanding YAML (Very Important)

4. Light Python Example

The DevSecOps Analogy: Snake and Eagle

Week 1: Build and Test Pipeline

Week 2: Secrets and Azure Key Vault

Week 3: Infrastructure as Code

Week 4: Containerization

Final Perspective

Terraform Made Simple, your first working configuration from install to Azure access

Nothing created yet. This is read only.

The goal is to connect Terraform to Azure safely.