🚀 Terraform Azure Infrastructure (Modular Architecture + DevSecOps)

Code Structure

.
├── azure-pipelines.yml                 # Azure DevOps CI/CD pipeline 
├── main
│   ├── main.tf                         # Module orchestration
│   ├── provider.tf                     # Azure provider configuration
│   ├── terraform.tfvars                # Input variable values
│   └── variable.tf                     # Module variables
├── modules
│   ├── 01_resource_group               # Resource Group creation
│   ├── 02_storage_account              # Storage Accounts
│   ├── 03_storage_container            # Storage Containers
│   ├── 04-Public_IP                    # Public IP
│   ├── 05_Virtual_Net                  # VNet & Subnets
│   ├── 06_sql_server                   # Azure SQL Server
│   ├── 07_sql_database                 # Azure SQL Database
│   ├── 08_net_interface                # Network Interfaces
│   └── 09_Virtual_Machine              # Azure VM
└── README.md

3-Tier Terraform Infra + Azure Pipeline Architecture Diagram

---

Git Repository URL:

https://github.com/deepak83s143/3-Tier-Application-Infra-with-SAST-Scanning-Azure-Pipeline.git

---

Features

• Modular Terraform structure
• Incremental resource creation
• Environment-based scalability
• Azure backend remote state configuration
• DevSecOps validation:
• Terraform Validation (terraform validate)
  • tfsec security scan
  • tflint linting
• Manual approval stage before provisioning

---

Technologies

• Terraform — IaC provisioning
• AzureRM Provider
• Azure DevOps Pipeline
• tfsec — Static security scan
• tflint — Terraform linting and provider validation

---

Terraform Workflow (Modules)

The root main/main.tf orchestrates creation in dependency order:

1. Resource Group
2. Storage Account
3. Storage Container
4. Public IP
5. Virtual Network & Subnets
6. SQL Server
7. SQL Database
8. Network Interface
9. Virtual Machine

Each module accepts input variables and returns useful outputs such as IDs, names, and connection objects.

---

Remote State Backend

Azure backend ensures centralized state storage.

backendAzureRmResourceGroupName: "ResourceGroupName"
backendAzureRmStorageAccountName: "StorageAccountName
backendAzureRmContainerName: "StorageContainerName"
backendAzureRmKey: "KeyName"

---

Azure DevOps Pipeline Overview

1. Pipeline stages:

   • Integration
   • Terraform init
   • Terraform validate

2. SanityCheck

   • tfsec security scan
   • tflint recursive lint

3. CodePlanning

   • terraform plan

4. ManualValidation

   • Manual approval by reviewer

5. InfraCreation

   • terraform apply (auto approve)

---

SAST Tools

tfsec

• Performs static vulnerability scanning
• Detects insecure Terraform configurations
• Ensures cloud compliance

Used with:

task: tfsec@1
dir: $(System.DefaultWorkingDirectory)/main
version: v1.26.0

tflint

• Validates wrong resource types, regions, and deprecated resources
• Provider-specific rule sets

Run manually:

tflint --recursive

---

Variables & tfvars

User inputs are stored in:

main/variable.tf
main/terraform.tfvars

Examples include:

• Resource Group configuration
• Storage details
• VNet CIDR blocks and subnet ranges
• SQL server credentials
• VM sizing and OS details

Note! :- Never commit sensitive credentials to Git.

---

Best Practices

• Follow module boundaries strictly
• No direct resource creation in main.tf
• Use tfsec & tflint before merge
• Always review plan outputs
• Store secrets in:
  • Azure KeyVault
  • DevOps Library secure variables

---

Notes

• Designed for IaC repeatability
• Suitable for multi-environment deployments (dev/stg/prod)
• Scalable due to isolated Terraform modules

👉 Follow me on