GABC2019: Terraform and Azure - How to GitOps by Sandro Köchli & Jörn Stenkamp

Transcript

1. None

2. Who am I? Sandro Köchli Solution Architect & Co-Founder https://www.linkedin.com/in/sandro-koechli/

3. Who am I? Jörn Stenkamp Sr. Solutions Engineer @ Hashicorp

4. About us: Berne, Basel, Zürich & Lausanne 60 Employees Broad

   Customer Base 100% Open Source Since 2000

5. Our Services Engineering Managed Services DevOps Development

6. Partners

7. Terraform and Azure: How to GitOps?

8. What is GitOps? • Managing Infrastructure as Code with a

   single source of truth (Git) • Describe your infrastructure in a declarative way • Use GitFlows to collaborate between teams (Producer / Consumer)

9. Agile IT (Former: Agile Software Development) • Infrastructure needs to

   keep up with the development • Slow manual order processes slow down changes to infrastructure • Config management is already widely used and integrated into CI/CD but not Infrastructure as Code • Infrastructure is often decoupled from the end-to-end automation process

10. What exists for Azure? • ARM Templates (limited to Azure

    only) • JSON format (good for machines but not for humans) • Hard to write and hard to debug (syntax) • Terraform (multi-cloud, hybrid) • HCL format (human friendly) or JSON • Abstraction for 200+ different resource provider (incl. Azure)

11. Pros • Hybrid incl. dependencies • Easy common syntax (HCL)

    • Governance & Compliance: • e.g. Policy as Code, Templates • Lifecycle management of the resources (day 1 and day 2+) • Maybe not all new Azure features available from day 1 Cons Terraform
12. None

13. Terraform 101 • Components: Core, Provider, Modules, Provisioner, UI •

    Workflow: init, plan, apply • Dependency map • Terraform State • Full API • Sentinel: Policy as Code

14. Terraform Packages (OSS vs. Enterprise)

15. Provider Model

16. Terraform Modules • Reusable templated infrastructure • Customize as needed

    with variable input • Producer / Consumer Workflow • Producer creates modules -> Modules published to registry • Consumer leverages registry to create infrastructure as needed

17. Policies as Code Policies are used to enforce best-practises, security

    measures, and compliance.

18. Full API Integrate with existing workflows: • CI/CD pipeline integration

    • Provision teams from Service Now Use API endpoints to manage: • Environment variables • Trigger Plan/Apply • Retrieve state information
19. None

20. Stages of Terraform adoption and Git DevSecOps Workflow

21. Stage 1 – As Individual Practitioner Individual IaC / TF-config

    Declarative description of how the world should look like

22. Stage 1 – As Individual Practitioner Plan Individual IaC /

    TF-config Declarative description of how the world should look like Compare the actual provider state with the designated state and show the difference.

23. Stage 1 – As Individual Practitioner Plan Apply Individual IaC

    / TF-config Declarative description of how the world should look like Compare the actual provider state with the designated state and show the difference. Execute the plan and resolve the diff

24. Stage 2 – As Team Not stepping on each others

    toe Team Collaboration IaC

25. Stage 2 – As Team Not stepping on each others

    toe Team Collaboration • Single Source of truth • Commit based • Version History • Code review • One change at a time IaC VCS

26. Stage 2 – As Team Not stepping on each others

    toe Plan Apply Team Collaboration • Single Source of truth • One change at a time • Version History • Commit based • Code review IaC VCS

27. Plan Apply Teams Stage 2 – Teams Hierarchically Decompose Infrastructure

    Only one File to describe your infrastructure?

28. Plan Apply Teams N/W Stage 2 – Teams Hierarchically Decompose

    Infrastructure

29. Plan Apply Teams N/W Sec Log Mon Stage 2 –

    Teams Hierarchically Decompose Infrastructure Middleware Tier

30. Plan Apply Teams N/W Sec Log Mon App1 App2 Stage

    2 – Teams Hierarchically Decompose Infrastructure Foundation Tier Middleware Tier Application Tier

31. Plan Apply Teams N/W Sec Log Mon App1 App2 Stage

    2 – Teams Hierarchically Decompose Infrastructure Foundation Tier Middleware Tier Application Tier Workspaces:

32. Plan Apply Teams N/W Sec Log Mon App1 App2 Stage

    2 – Teams Hierarchically Decompose Infrastructure Foundation Tier Middleware Tier Application Tier Workspaces: Introducing RBAC

33. Private Module Registry DB Java Node.js … Publishers Consumers Sandbox

    Policy as Code Java DB Custom X Sentinel cidr size date/time cloud provider …many more… Stage 3 – In Organizations Module registry / Governance and Compliancy

34. DevOps Workflow for Organizations VCS orientated workflow with segregation of

    duties

35. Segregation of duties Prerequisites / initial admin steps

36. Segregation of duties Sec creates environment for Ops

37. VCS <-> Workspace interaction

38. On Azure • Modules for Azure: registry.terraform.io • e.g.: https://github.com/Azure/terraform-azurerm-compute

    • Azure Cloud Shell has native Terraform support • Marketplace offering: Ubuntu VM with Terraform & remote state support • Terraform Hub: https://docs.microsoft.com/en-us/azure/terraform/

39. How to learn Terraform? • https://learn.hashicorp.com/terraform/azure/intro_az • Learn how to

    use Terraform with Azure

40. Contact Website: adfinis-sygroup.ch Twitter: @adfinissygroup LinkedIn: /adfinis-sygroup-ag GitHub: /adfinis-sygroup

41. Thanks to our sponsors!