GABC2019: Terraform and Azure - How to GitOps by Sandro Köchli & Jörn Stenkamp

GABC2019: Terraform and Azure - How to GitOps by Sandro Köchli & Jörn Stenkamp

Transforming your infrastructure leads to infrastructure automation. Besides using config management, which is already very common, many companies are adapting infrastructure as code principles and introduce GitOps workflows.
Terraform is the most popular tool to use for Infrastructure as Code. It supports beside the Azure Cloud various cloud and on-prem solutions. Using terraform can be as easy as opening your azure cloud-shell, as it is already integrated.

0754d30f3acc99a940aebdcd49d5af97?s=128

Azure Zurich User Group

April 27, 2019
Tweet

Transcript

  1. 1.
  2. 4.

    About us: Berne, Basel, Zürich & Lausanne 60 Employees Broad

    Customer Base 100% Open Source Since 2000
  3. 8.

    What is GitOps? • Managing Infrastructure as Code with a

    single source of truth (Git) • Describe your infrastructure in a declarative way • Use GitFlows to collaborate between teams (Producer / Consumer)
  4. 9.

    Agile IT (Former: Agile Software Development) • Infrastructure needs to

    keep up with the development • Slow manual order processes slow down changes to infrastructure • Config management is already widely used and integrated into CI/CD but not Infrastructure as Code • Infrastructure is often decoupled from the end-to-end automation process
  5. 10.

    What exists for Azure? • ARM Templates (limited to Azure

    only) • JSON format (good for machines but not for humans) • Hard to write and hard to debug (syntax) • Terraform (multi-cloud, hybrid) • HCL format (human friendly) or JSON • Abstraction for 200+ different resource provider (incl. Azure)
  6. 11.

    Pros • Hybrid incl. dependencies • Easy common syntax (HCL)

    • Governance & Compliance: • e.g. Policy as Code, Templates • Lifecycle management of the resources (day 1 and day 2+) • Maybe not all new Azure features available from day 1 Cons Terraform
  7. 12.
  8. 13.

    Terraform 101 • Components: Core, Provider, Modules, Provisioner, UI •

    Workflow: init, plan, apply • Dependency map • Terraform State • Full API • Sentinel: Policy as Code
  9. 16.

    Terraform Modules • Reusable templated infrastructure • Customize as needed

    with variable input • Producer / Consumer Workflow • Producer creates modules -> Modules published to registry • Consumer leverages registry to create infrastructure as needed
  10. 18.

    Full API Integrate with existing workflows: • CI/CD pipeline integration

    • Provision teams from Service Now Use API endpoints to manage: • Environment variables • Trigger Plan/Apply • Retrieve state information
  11. 19.
  12. 21.

    Stage 1 – As Individual Practitioner Individual IaC / TF-config

    Declarative description of how the world should look like
  13. 22.

    Stage 1 – As Individual Practitioner Plan Individual IaC /

    TF-config Declarative description of how the world should look like Compare the actual provider state with the designated state and show the difference.
  14. 23.

    Stage 1 – As Individual Practitioner Plan Apply Individual IaC

    / TF-config Declarative description of how the world should look like Compare the actual provider state with the designated state and show the difference. Execute the plan and resolve the diff
  15. 24.
  16. 25.

    Stage 2 – As Team Not stepping on each others

    toe Team Collaboration • Single Source of truth • Commit based • Version History • Code review • One change at a time IaC VCS
  17. 26.

    Stage 2 – As Team Not stepping on each others

    toe Plan Apply Team Collaboration • Single Source of truth • One change at a time • Version History • Commit based • Code review IaC VCS
  18. 27.
  19. 29.

    Plan Apply Teams N/W Sec Log Mon Stage 2 –

    Teams Hierarchically Decompose Infrastructure Middleware Tier
  20. 30.

    Plan Apply Teams N/W Sec Log Mon App1 App2 Stage

    2 – Teams Hierarchically Decompose Infrastructure Foundation Tier Middleware Tier Application Tier
  21. 31.

    Plan Apply Teams N/W Sec Log Mon App1 App2 Stage

    2 – Teams Hierarchically Decompose Infrastructure Foundation Tier Middleware Tier Application Tier Workspaces:
  22. 32.

    Plan Apply Teams N/W Sec Log Mon App1 App2 Stage

    2 – Teams Hierarchically Decompose Infrastructure Foundation Tier Middleware Tier Application Tier Workspaces: Introducing RBAC
  23. 33.

    Private Module Registry DB Java Node.js … Publishers Consumers Sandbox

    Policy as Code Java DB Custom X Sentinel cidr size date/time cloud provider …many more… Stage 3 – In Organizations Module registry / Governance and Compliancy
  24. 38.

    On Azure • Modules for Azure: registry.terraform.io • e.g.: https://github.com/Azure/terraform-azurerm-compute

    • Azure Cloud Shell has native Terraform support • Marketplace offering: Ubuntu VM with Terraform & remote state support • Terraform Hub: https://docs.microsoft.com/en-us/azure/terraform/