Terraform playbook of a vulnerable Azure deployment
Written by Michael Braun
The purpose of this project is to build an intentionally vulnerable environment for me to experiement with. I see this as having two main purposes.
-
Test offensive principles and tools against vulnerable Azure infrastructure
-
Test defensive tools to evaluate their capabilities in the Cloud and the CI/CD pipeline.
This is a first version, as it was also a way for me to learn about Azure, Terraform and Github Actions.
Here is crude diagram of what this playbook will build:
All services are open and accessible to the internet.
DO NOT DEPLOY THIS IN A PRODUCTION ENVIRONMENT
Github Account
Azure Account
Terraform Cloud Account
This writeup assumes that you have basic working knowledge of all of these services.
Fork the VulnerableAzure repository into your personal Github account.
Create an App Registration in Azure. As this will be used multiple times, please note the following:
- Application (client) ID
- Directory (tenant) ID
- Secret
- Subscription ID
Ensure that you give this app registration "Contributor" permission. This is required for Terraform to build the environment.
Create a new workspace in your Orginization and select CLI-driven run. The configure your variables.
Start with the Environment Variables. Input the Azure App Registration information you noted earlier. Use the following keys.
Then fill in the variables required to run the Terraform playbook. Reuse the Azure App Registration client id and secret for the client_id and the client_secret variables.
Under the user settings, select Tokens and create an API token. Note the value for later.
Select settings and add the following secrets to your repository:
