Forem: Achref Rhouma

Terraform + GitHub Actions for automation

Achref Rhouma — Thu, 14 Aug 2025 19:15:09 +0000

🚀 Building a Secure DevOps Pipeline on Azure with Terraform & GitHub Actions

📖 Why This Guide?

Every DevOps engineer dreams of fully automated, secure infrastructure. This article shows how to build a production-ready Azure pipeline using Terraform and GitHub Actions, with built-in security checks and deployment automation.

1️⃣ Step 1 — Provision Azure Infrastructure with Terraform

We'll create a Resource Group, VNet, and an NSG for secure app deployment.

# main.tf
provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "rg" {
  name     = "rg-devsec-demo"
  location = "westeurope"
}

resource "azurerm_virtual_network" "vnet" {
  name                = "vnet-devsec"
  address_space       = ["10.10.0.0/16"]
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
}

resource "azurerm_subnet" "app_subnet" {
  name                 = "app-subnet"
  resource_group_name  = azurerm_resource_group.rg.name
  virtual_network_name = azurerm_virtual_network.vnet.name
  address_prefixes     = ["10.10.1.0/24"]
}

resource "azurerm_network_security_group" "nsg" {
  name                = "nsg-app"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name

  security_rule {
    name                       = "Allow-HTTPS-Internet"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_address_prefix      = "Internet"
    destination_port_range     = "443"
  }
}

resource "azurerm_subnet_network_security_group_association" "assoc" {
  subnet_id                 = azurerm_subnet.app_subnet.id
  network_security_group_id = azurerm_network_security_group.nsg.id
}

2️⃣ Step 2 — GitHub Actions Workflow

Automate Terraform plan & apply, plus run a security linting check.

# .github/workflows/terraform.yml
name: Terraform CI/CD

on:
  push:
    branches:
      - main

jobs:
  terraform:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: 1.5.0

      - name: Terraform Init
        run: terraform init

      - name: Terraform Validate
        run: terraform validate

      - name: Terraform Plan
        run: terraform plan -out=tfplan

      - name: Terraform Apply
        if: github.ref == 'refs/heads/main'
        run: terraform apply -auto-approve tfplan

💡 Tip: Add tflint or checkov in the workflow for automated security scanning.

3️⃣ Step 3 — Integrate Azure Key Vault for Secrets

resource "azurerm_key_vault" "kv" {
  name                        = "kv-devsec-${random_integer.suffix.result}"
  resource_group_name         = azurerm_resource_group.rg.name
  location                    = azurerm_resource_group.rg.location
  sku_name                    = "standard"
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  purge_protection_enabled    = true
  soft_delete_enabled         = true
}

resource "azurerm_key_vault_access_policy" "admin_policy" {
  key_vault_id = azurerm_key_vault.kv.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = "YOUR_AAD_GROUP_OBJECT_ID"

  key_permissions = [
    "get",
    "list",
    "create",
    "delete"
  ]
}

4️⃣ Step 4 — Continuous Security Checks

Add Azure Policy compliance checks to enforce:

NSG inbound rules restrictions
Private endpoints for Key Vault
Tagging policies for all resources

# Assign built-in Azure Policy
az policy assignment create \
  --name "nsg-inbound-check" \
  --scope "/subscriptions/<SUBSCRIPTION_ID>" \
  --policy "/providers/Microsoft.Authorization/policyDefinitions/NSGInboundRule"

📌 Key Takeaways

Terraform + GitHub Actions = fully automated, secure deployment.
Always scan and lint your IaC code before deployment.
Use RBAC + Key Vault to protect secrets and keys.
Continuous compliance ensures long-term security.

💬 Challenge:

Add a private endpoint to Key Vault and modify the workflow to only deploy when the endpoint is private. Share your code snippets in the comments!

🚀 From Zero to Secure: Deploying a Hardened Azure Environment with Terraform & Azure CLI

Achref Rhouma — Thu, 14 Aug 2025 18:52:27 +0000

🚀 From Zero to Secure: Deploying a Hardened Azure Environment with Terraform & Azure CLI

Tags: #azure #devops #cloudsecurity #terraform

📖 Why This Guide?

Passing a cloud security quiz is great — but real-world deployments require more than memorizing the right answer.

This article takes the concepts behind common Azure security questions and turns them into battle-tested deployments using Azure CLI and Terraform.

You’ll learn how to:

Build a secure Network Security Group with least privilege inbound rules.
Detect & respond to impossible travel sign-ins.
Manage Key Vault data-plane access with Azure RBAC.
Map and implement Defense in Depth layers.

1️⃣ NSG Inbound — The Right Way

Scenario:

You need to allow HTTPS traffic from the Internet to your app subnet — but safely.

Principles:

Restrict by port and protocol.
Avoid * in source IPs unless unavoidable.
Use higher-level protections like WAF where possible.

Azure CLI:

RG=rg-secure-demo
LOC=westeurope
VNET=vnet-secure
SUBNET=app-subnet
NSG=nsg-app
RULE=Allow-HTTPS-Internet
PRIORITY=100

# Create RG and VNet
az group create -n $RG -l $LOC
az network vnet create -g $RG -n $VNET -l $LOC \
  --address-prefixes 10.10.0.0/16 \
  --subnet-name $SUBNET --subnet-prefix 10.10.1.0/24

# Create NSG
az network nsg create -g $RG -n $NSG

# Add inbound HTTPS rule
az network nsg rule create \
  -g $RG --nsg-name $NSG -n $RULE \
  --priority $PRIORITY \
  --direction Inbound --access Allow --protocol Tcp \
  --source-address-prefixes Internet \
  --destination-port-ranges 443

# Attach NSG to subnet
az network vnet subnet update \
  -g $RG --vnet-name $VNET -n $SUBNET \
  --network-security-group $NSG

2️⃣ Detecting Impossible Travel

Concept: Impossible travel is when a user logs in from two locations so far apart that traveling between them in the elapsed time is physically impossible.

KQL Query in Log Analytics:

SigninLogs
| where ResultType == 0
| project TimeGenerated, UserPrincipalName, Location = tostring(LocationDetails.countryOrRegion)
| order by UserPrincipalName, TimeGenerated
| extend PrevLocation = prev(Location), PrevTime = prev(TimeGenerated), PrevUser = prev(UserPrincipalName)
| where UserPrincipalName == PrevUser and Location != PrevLocation
| where datetime_diff('minute', PrevTime, TimeGenerated) < 60

Real-World Action:

Enable Azure AD Identity Protection.
Create Conditional Access policy:
- Sign-in risk = Medium+
- Action = Require MFA or Block
Start in report-only mode, then enforce.

3️⃣ Key Vault Access with RBAC

Scenario:

Grant a specific Azure AD group permissions to create & delete keys in Key Vault.

Azure CLI:

RG=rg-secure-demo
LOC=westeurope
KV=kv-secure-$RANDOM
GROUP_NAME="kv-crypto-admins"

# Create Key Vault
az keyvault create -n $KV -g $RG -l $LOC

# Create AAD group
GROUP_ID=$(az ad group create --display-name "$GROUP_NAME" --mail-nickname "$GROUP_NAME" --query id -o tsv)

# Assign Key Vault Administrator role
ROLE="Key Vault Administrator"
SCOPE=$(az keyvault show -n $KV -g $RG --query id -o tsv)
az role assignment create \
  --assignee-object-id $GROUP_ID \
  --assignee-principal-type Group \
  --role "$ROLE" \
  --scope "$SCOPE"

Best Practice:

Use RBAC instead of legacy access policies for unified permissions management.

4️⃣ Implementing Defense in Depth

Layer Mapping:

Layer	Controls	Azure Services
Perimeter	DDoS/WAF, TLS termination	Azure DDoS, Front Door
Network	Segmentation, ACLs	VNet, NSG, ASG
Compute	Hardening, patching	Azure VM, Defender for Cloud
Identity	AuthN/Z, least privilege	Entra ID, Conditional Access
Application	Input validation, data access	Key Vault, Managed Identity
Data	Encryption, backups	SSE, Azure Backup
Monitoring	Detect/respond	Log Analytics, Sentinel

🧹 Clean-Up

az group delete -n rg-secure-demo --yes --no-wait

📌 Key Takeaways

NSG rules should be precise — no blanket * inbound.
Impossible travel is a high-confidence detection signal.
Key Vault RBAC is modern, scalable, and auditable.
Security works best in layers.

💬 Question for you:

What’s one Azure security trick you use that isn’t in Microsoft’s documentation? Drop it in the comments, and I’ll build a full code example for it.

🔐 Azure Security Deep-Dive: From Quiz Questions to Real-World Cloud Implementations (with Code)

Achref Rhouma — Thu, 14 Aug 2025 18:45:20 +0000

TL;DR:

This article takes four common Azure security quiz questions and turns them into actionable, production-ready infrastructure setups using Azure CLI, Bicep, and Terraform.

We go from “multiple-choice answer” → real deployment → validation & best practices.

💡 Why This Article?

Quizzes are fun. Passing certifications is satisfying.

But production workloads? That’s where the stakes are real — and that’s why I took four real Azure security quiz topics and built out full, working implementations you can deploy today.

Here’s what we’ll cover:

Network Security Groups (NSGs) — Correctly allowing Internet inbound traffic.
Identity Protection — Detecting “impossible travel” and reacting.
Key Vault RBAC — Granting a group create/delete permissions via Azure AD authentication.
Defense in Depth — Correctly mapping Azure services to security layers.

1️⃣ Network Security Groups — Allowing Internet Inbound (The Right Way)

Quiz Recap

To allow traffic from the Internet, which rule should be added?

✅ Internet Inbound Allow

The Why:

A Network Security Group (NSG) acts like a firewall at the network interface or subnet level. By default, NSGs block inbound traffic from the Internet. If you want to allow it, you must create an Inbound Allow rule.

But here’s the catch:

The quiz makes it sound like “Allow All” — in production, that’s dangerous.
You must restrict by protocol, port, and source IP where possible.
Even better: Put a WAF or Reverse Proxy in front of direct inbound access.

🖥 Azure CLI Example

RG=rg-secure-demo
LOC=westeurope
VNET=vnet-secure
SUBNET=app-subnet
NSG=nsg-app
RULE=Allow-HTTPS-Internet
PRIORITY=100

# Create RG and VNet
az group create -n $RG -l $LOC
az network vnet create -g $RG -n $VNET -l $LOC \
  --address-prefixes 10.10.0.0/16 \
  --subnet-name $SUBNET --subnet-prefix 10.10.1.0/24

# Create NSG
az network nsg create -g $RG -n $NSG

# Add inbound rule for HTTPS from Internet
az network nsg rule create \
  -g $RG --nsg-name $NSG -n $RULE \
  --priority $PRIORITY \
  --direction Inbound --access Allow --protocol Tcp \
  --source-address-prefixes Internet \
  --destination-port-ranges 443

# Attach NSG to subnet
az network vnet subnet update \
  -g $RG --vnet-name $VNET -n $SUBNET \
  --network-security-group $NSG

💡 Tip: Never open RDP (3389) or SSH (22) to Internet. If unavoidable, enable Just-in-Time VM Access with Azure Bastion.

🧱 Bicep Version

param location string = 'westeurope'

resource nsg 'Microsoft.Network/networkSecurityGroups@2024-03-01' = {
  name: 'nsg-app'
  location: location
  properties: {
    securityRules: [
      {
        name: 'Allow-HTTPS-Internet'
        properties: {
          access: 'Allow'
          direction: 'Inbound'
          priority: 100
          protocol: 'Tcp'
          sourceAddressPrefix: 'Internet'
          sourcePortRange: '*'
          destinationAddressPrefix: '*'
          destinationPortRange: '443'
        }
      }
    ]
  }
}

2️⃣ Identity Protection — Impossible Travel

Quiz Recap

Which classification is used to detect risky sign-ins?

✅ Abnormal / Impossible Travel

The Why:

Impossible travel is detected when a user signs in from two locations so far apart that traveling between them in the elapsed time would be physically impossible.

How Azure Detects It:

Location based on IP geolocation.
Sign-in logs processed by Microsoft’s risk detection engine.
Can trigger a Sign-In Risk classification.

🔍 KQL Example to Spot Impossible Travel

SigninLogs
| where ResultType == 0
| project TimeGenerated, UserPrincipalName, Location = tostring(LocationDetails.countryOrRegion)
| order by UserPrincipalName, TimeGenerated
| extend PrevLocation = prev(Location), PrevTime = prev(TimeGenerated), PrevUser = prev(UserPrincipalName)
| where UserPrincipalName == PrevUser and Location != PrevLocation
| where datetime_diff('minute', PrevTime, TimeGenerated) < 60

Real-World Action Plan:

Enable Azure AD Identity Protection.
Create a Conditional Access policy:
- Target sign-in risk: Medium and above.
- Grant MFA or block access.
Start in report-only mode → then enforce.

3️⃣ Key Vault Data-Plane Access via RBAC

Quiz Recap

A group must create & delete keys in Key Vault using Azure AD auth. Which tool grants access?

✅ RBAC (Role-Based Access Control)

🖥 Azure CLI Example

RG=rg-secure-demo
LOC=westeurope
KV=kv-secure-$RANDOM
GROUP_NAME="kv-crypto-admins"

# Create Key Vault
az keyvault create -n $KV -g $RG -l $LOC

# Create AAD group
GROUP_ID=$(az ad group create --display-name "$GROUP_NAME" --mail-nickname "$GROUP_NAME" --query id -o tsv)

# Assign Key Vault Administrator role to group
ROLE="Key Vault Administrator"
SCOPE=$(az keyvault show -n $KV -g $RG --query id -o tsv)
az role assignment create \
  --assignee-object-id $GROUP_ID \
  --assignee-principal-type Group \
  --role "$ROLE" \
  --scope "$SCOPE"

💡 Tip:

Prefer RBAC over legacy Access Policies.
For least privilege, create a custom role if “Key Vault Administrator” is too broad.

4️⃣ Defense in Depth — Layer Mapping

Quiz Recap

Which statement is correct?

✅ Application layer controls access to business & customer data.

Layer Mapping Table

Layer	Primary Controls	Azure Services
Perimeter	DDoS/WAF, TLS termination	Azure DDoS, Front Door, App Gateway
Network	Segmentation, ACLs	VNet, NSG, ASG, Private Link
Compute	Hardening, patching, EDR	Azure VM, Defender for Cloud
Identity	AuthN/Z, least privilege	Entra ID, Conditional Access
Application	Input validation, secrets/data access	Key Vault, Managed Identity
Data	Encryption, backup	Key Vault, SSE, Azure Backup
Monitoring	Detect/respond	Log Analytics, Sentinel

🧹 Clean-Up Command

az group delete -n rg-secure-demo --yes --no-wait

📌 Key Takeaways

NSG inbound rules must be precise — avoid * when possible.
Impossible travel is a high-confidence risk signal worth automating responses for.
Key Vault RBAC is the modern, centralized way to manage secrets and keys access.
Defense in Depth is layered; each layer complements the others.

🚀 Your Turn

Challenge:

Try expanding one of these configurations with:

Private endpoints for Key Vault.
Custom Conditional Access policies for specific apps.
NSG flow logs to Azure Monitor for traffic analysis.

💬 Discussion Prompt:

What’s your favorite Azure security best practice that isn’t covered in most quizzes?

Post it in the comments — I’ll try to build it in code for a follow-up article.

🎮 Gaming Innovations: The Future is Now

Achref Rhouma — Wed, 13 Aug 2025 17:20:40 +0000

Gaming has evolved from simple pixelated screens to fully immersive worlds. By 2025, gaming innovations are reshaping how we play, connect, and experience stories. But with great innovation comes new challenges—and unprecedented opportunities.

1️⃣ Virtual Reality (VR) and Immersive Worlds 🕶️

VR is no longer just a novelty. Today’s VR games allow players to step directly into stunningly realistic environments. From exploring alien planets to surviving post-apocalyptic worlds, the line between game and reality is blurring.

Key innovations:

Haptic suits providing full-body feedback
VR escape rooms that adapt in real-time
Multiplayer VR worlds merging social interaction and gaming

🖼️ Image suggestion: A player wearing a full VR setup in a vibrant futuristic city.

2️⃣ Artificial Intelligence in NPCs 🤖

AI is revolutionizing how non-player characters (NPCs) behave. No more repetitive patterns—NPCs now react dynamically, learn from your actions, and even form strategies against you.

Examples:

Adaptive enemy AI that remembers your previous moves
NPC companions with emotional intelligence
Procedurally generated quests personalized for your play style

🖼️ Image suggestion: A tense scene where an AI-driven enemy is planning an ambush.

3️⃣ Cloud Gaming and Accessibility ☁️

Cloud gaming is making high-end gaming accessible anywhere, anytime, without expensive hardware. With ultra-fast streaming, gamers can jump into top-tier titles on phones, tablets, or low-spec PCs.

Impact:

Eliminates the need for powerful consoles
Instant multiplayer matchmaking across devices
Democratizes gaming globally

🖼️ Image suggestion: A player streaming a high-end game on a tablet in a cozy cafe.

4️⃣ Cross-Reality Gaming (XR) 🌐

XR combines AR, VR, and real-world environments to create unique experiences. Players can interact with games that overlay digital content on the real world, making gaming a part of everyday life.

Examples:

AR treasure hunts in city streets
Mixed reality board games in your living room
Sports simulations blending physical movement with virtual environments

🖼️ Image suggestion: Players chasing digital creatures in a real urban park.

5️⃣ Game Streaming and Social Interaction 🎥

Streaming platforms have transformed gaming into a spectator sport. Gamers aren’t just playing—they’re creating communities, influencing game design, and shaping esports culture.

Highlights:

Interactive streams where viewers control game elements
Esports tournaments broadcast globally with real-time analytics
Social hubs for gamers to meet, collaborate, and compete

🖼️ Image suggestion: A streamer surrounded by multi-screen setups with fans cheering virtually.

6️⃣ Procedural Generation and Infinite Worlds 🌌

Procedural generation allows developers to create endless game worlds with unique landscapes, quests, and challenges every time you play.

Advantages:

Each playthrough is different
Reduces development costs for large worlds
Inspires creativity and exploration in players

🖼️ Image suggestion: A vast, procedurally generated fantasy landscape with mountains, rivers, and cities.

💡 Final Thought

Gaming innovations are not just about technology—they’re about experience. From VR immersion to AI-driven NPCs, cloud gaming, and XR adventures, the future of gaming is limitless.

❓ The Big Question:

Are you ready to explore worlds that don’t exist—yet feel completely real?

The Power of AI: How Artificial Intelligence is Reshaping Our World in 2025 🤖⚡

Achref Rhouma — Wed, 13 Aug 2025 17:13:37 +0000

🤖 The Dark Side of AI: Are We Losing Control?

Artificial Intelligence (AI) is no longer a distant dream—it’s transforming the world, but not always for the better. By 2025, AI is influencing industries, creativity, and daily life—but alongside its promises come ethical dilemmas, privacy risks, and social disruption.

💡 Imagine this:

AI predicting behaviors before consent, making decisions faster than humans can comprehend, or analyzing personal data to manipulate choices. This is already happening, reshaping our lives in ways we may not fully understand.

1️⃣ Job Displacement and Economic Risks 💼

AI automation is replacing repetitive and even complex tasks at unprecedented speed. While efficiency increases, millions of jobs could vanish, creating unemployment, underemployment, and economic inequality.

Examples of impact:

AI-powered factories replacing assembly line workers
Automated customer service reducing human roles
Financial AI systems performing analysis faster than human analysts

⚠️ Warning: If society does not adapt, AI could create a massive workforce gap, leaving vulnerable populations behind.

2️⃣ Data Exploitation and Privacy Threats 🔐

AI thrives on data—lots of it. But with vast data collection comes serious privacy risks. Companies and governments can analyze personal behavior in ways individuals never agreed to or even understand.

Critical concerns:

Predictive AI profiling users without consent
Targeted advertising manipulating choices subtly
Security breaches exposing sensitive information

🔍 Reality check: AI can know more about you than your closest friends—and it’s always learning.

3️⃣ Creativity Risks and Content Manipulation 🎭

AI is a powerful creative tool, but it can also copy, distort, or fabricate content. Human art, music, and writing may be replicated or replaced, raising questions about ownership, originality, and authenticity.

Potential consequences:

AI-generated art flooding creative markets
Fake news and deepfakes spreading misinformation
Original works being undervalued or misattributed

🎨 Fact: Creativity without ethics can become manipulation disguised as innovation.

4️⃣ Hyper-Personalization and Social Manipulation 🧠

AI learns habits, preferences, and behaviors, tailoring experiences to individuals. While convenient, this can create echo chambers, biased recommendations, and privacy invasions.

Examples:

Social media feeds engineered to maximize engagement
AI-powered political messaging influencing opinions
Personalized content reinforcing biases instead of broadening understanding

⚠️ Caution: Personalization may feel helpful, but it can subtly control choices without consent.

5️⃣ Ethical Dilemmas and Accountability ⚖️

AI decisions are often opaque and unexplainable. Without careful oversight, AI can amplify societal biases, make unfair decisions, or compromise safety.

Key ethical issues:

Biased AI algorithms affecting hiring, loans, or law enforcement
Autonomous systems making life-or-death decisions
Lack of transparency in AI-driven governance

⚡ Remember: AI is a tool, not a judge—and humans must be accountable for its actions.

6️⃣ The Risk of Over-Reliance 🤯

Society is increasingly dependent on AI, from navigation apps to financial advice. Over-reliance could make humans less capable of independent thinking and reduce critical skills.

Examples:

Automated decision-making replacing human judgment
Education systems relying too heavily on AI tutoring
Critical infrastructure controlled largely by AI systems

🧠 Insight: Blind trust in AI can create fragile systems vulnerable to errors or attacks.

💡 Final Thought

AI is extraordinarily powerful, but power without responsibility can be dangerous. The future depends on how society controls, regulates, and ethically integrates AI into daily life.

❓ The Big Question:

Will you let AI steer your life, or will you take control before it’s too late?