GABC2019: Terraform and Azure - How to GitOps by Sandro Köchli & Jörn Stenkamp

GABC2019: Terraform and Azure - How to GitOps by Sandro Köchli & Jörn Stenkamp

Transforming your infrastructure leads to infrastructure automation. Besides using config management, which is already very common, many companies are adapting infrastructure as code principles and introduce GitOps workflows.
Terraform is the most popular tool to use for Infrastructure as Code. It supports beside the Azure Cloud various cloud and on-prem solutions. Using terraform can be as easy as opening your azure cloud-shell, as it is already integrated.

0754d30f3acc99a940aebdcd49d5af97?s=128

Azure Zurich User Group

April 27, 2019
Tweet

Transcript

  1. None
  2. Who am I? Sandro Köchli Solution Architect & Co-Founder https://www.linkedin.com/in/sandro-koechli/

  3. Who am I? Jörn Stenkamp Sr. Solutions Engineer @ Hashicorp

  4. About us: Berne, Basel, Zürich & Lausanne 60 Employees Broad

    Customer Base 100% Open Source Since 2000
  5. Our Services Engineering Managed Services DevOps Development

  6. Partners

  7. Terraform and Azure: How to GitOps?

  8. What is GitOps? • Managing Infrastructure as Code with a

    single source of truth (Git) • Describe your infrastructure in a declarative way • Use GitFlows to collaborate between teams (Producer / Consumer)
  9. Agile IT (Former: Agile Software Development) • Infrastructure needs to

    keep up with the development • Slow manual order processes slow down changes to infrastructure • Config management is already widely used and integrated into CI/CD but not Infrastructure as Code • Infrastructure is often decoupled from the end-to-end automation process
  10. What exists for Azure? • ARM Templates (limited to Azure

    only) • JSON format (good for machines but not for humans) • Hard to write and hard to debug (syntax) • Terraform (multi-cloud, hybrid) • HCL format (human friendly) or JSON • Abstraction for 200+ different resource provider (incl. Azure)
  11. Pros • Hybrid incl. dependencies • Easy common syntax (HCL)

    • Governance & Compliance: • e.g. Policy as Code, Templates • Lifecycle management of the resources (day 1 and day 2+) • Maybe not all new Azure features available from day 1 Cons Terraform
  12. None
  13. Terraform 101 • Components: Core, Provider, Modules, Provisioner, UI •

    Workflow: init, plan, apply • Dependency map • Terraform State • Full API • Sentinel: Policy as Code
  14. Terraform Packages (OSS vs. Enterprise)

  15. Provider Model

  16. Terraform Modules • Reusable templated infrastructure • Customize as needed

    with variable input • Producer / Consumer Workflow • Producer creates modules -> Modules published to registry • Consumer leverages registry to create infrastructure as needed
  17. Policies as Code Policies are used to enforce best-practises, security

    measures, and compliance.
  18. Full API Integrate with existing workflows: • CI/CD pipeline integration

    • Provision teams from Service Now Use API endpoints to manage: • Environment variables • Trigger Plan/Apply • Retrieve state information
  19. None
  20. Stages of Terraform adoption and Git DevSecOps Workflow

  21. Stage 1 – As Individual Practitioner Individual IaC / TF-config

    Declarative description of how the world should look like
  22. Stage 1 – As Individual Practitioner Plan Individual IaC /

    TF-config Declarative description of how the world should look like Compare the actual provider state with the designated state and show the difference.
  23. Stage 1 – As Individual Practitioner Plan Apply Individual IaC

    / TF-config Declarative description of how the world should look like Compare the actual provider state with the designated state and show the difference. Execute the plan and resolve the diff
  24. Stage 2 – As Team Not stepping on each others

    toe Team Collaboration IaC
  25. Stage 2 – As Team Not stepping on each others

    toe Team Collaboration • Single Source of truth • Commit based • Version History • Code review • One change at a time IaC VCS
  26. Stage 2 – As Team Not stepping on each others

    toe Plan Apply Team Collaboration • Single Source of truth • One change at a time • Version History • Commit based • Code review IaC VCS
  27. Plan Apply Teams Stage 2 – Teams Hierarchically Decompose Infrastructure

    Only one File to describe your infrastructure?
  28. Plan Apply Teams N/W Stage 2 – Teams Hierarchically Decompose

    Infrastructure
  29. Plan Apply Teams N/W Sec Log Mon Stage 2 –

    Teams Hierarchically Decompose Infrastructure Middleware Tier
  30. Plan Apply Teams N/W Sec Log Mon App1 App2 Stage

    2 – Teams Hierarchically Decompose Infrastructure Foundation Tier Middleware Tier Application Tier
  31. Plan Apply Teams N/W Sec Log Mon App1 App2 Stage

    2 – Teams Hierarchically Decompose Infrastructure Foundation Tier Middleware Tier Application Tier Workspaces:
  32. Plan Apply Teams N/W Sec Log Mon App1 App2 Stage

    2 – Teams Hierarchically Decompose Infrastructure Foundation Tier Middleware Tier Application Tier Workspaces: Introducing RBAC
  33. Private Module Registry DB Java Node.js … Publishers Consumers Sandbox

    Policy as Code Java DB Custom X Sentinel cidr size date/time cloud provider …many more… Stage 3 – In Organizations Module registry / Governance and Compliancy
  34. DevOps Workflow for Organizations VCS orientated workflow with segregation of

    duties
  35. Segregation of duties Prerequisites / initial admin steps

  36. Segregation of duties Sec creates environment for Ops

  37. VCS <-> Workspace interaction

  38. On Azure • Modules for Azure: registry.terraform.io • e.g.: https://github.com/Azure/terraform-azurerm-compute

    • Azure Cloud Shell has native Terraform support • Marketplace offering: Ubuntu VM with Terraform & remote state support • Terraform Hub: https://docs.microsoft.com/en-us/azure/terraform/
  39. How to learn Terraform? • https://learn.hashicorp.com/terraform/azure/intro_az • Learn how to

    use Terraform with Azure
  40. Contact Website: adfinis-sygroup.ch Twitter: @adfinissygroup LinkedIn: /adfinis-sygroup-ag GitHub: /adfinis-sygroup

  41. Thanks to our sponsors!