MS Azure Zürich User Group IAC Episode 3 Terraform Strikes Back! Jonas Wanninger 

Jonas Wanninger Consultant and Cloud Architect • Azure (Automation, Architecture and Security) • Development (.NET, PowerShell, SQL) • Microsoft SQL Server • Microsoft Certified Trainer https://www.linkedin.com/in/jonas-wanninger-0a4833139/ 

Terraform Strikes Back?! VS 

Why is IaC cool? Provides consistency across all deployments and stages Version control Faster deployments and recovery Just in time deployments 

First things First: Terraform Overview • Company: Hashicorp • Open Source • based on Azure SDK for GO! • Cloud vendor independent 

Terraform Cloud Consistent and reliable deployment environment Shared state and secret data Approving changes to infrastructure, A private registry for modules Terraform Enterprise is the Self Hosted version of the Terraform Cloud 

resource "azurerm_resource_group" "rg" { name = "myTFResourceGroup" location = "westus2" } HCL Introduction "" "" { # Block body = # Argument } Overall Syntax Example 

First things First: Terraform Workflow Write Code Init Terraform Validate Plan Apply Get Happy! 

DEMO 

Terraform files terraform.tfstate terraform.tfvars main.tf 

Advanced Terraform Topics: The Statefile Terraform always keeps track of your infrastrucuture Contains sensitive data in clear text Stored locally Not great for working in teams Shows your entire cloud infrastructure Including security issues ;) 

Advanced Terraform Topics: The Statefile • Remote Backend are the solution e.g Azure Blob Storage • Encrypted • Locking mechanism state.tfstate Authenticate to storage account (e.g with SP or MSI) Gets decrypted while Terraform works with it On the Storage Accounts its encrypted again. 

Advanced Terraform Topics: Keeping Your Secrets 

Advanced Terraform Topics: Keeping Your Secrets 

Advanced Terraform Topics: Keeping Your Secrets 

Advanced Terraform Topics: Keeping Your Secrets 

Advanced Terraform Topics: Keeping Your Secrets • Tool Recommendation • GitHub: mozilla / sops • Encrypts and decrypts variable files on the fly • Encryption Keys can be kept in an Azure Key Vault • Encrypted Terraform variable file can be checked in Version Control Pull Code incl. encrypted variables files from source control Decrypt variables file Terraform deployment Delete files from deployment server 

Advanced Terraform Topics: Dependency Graph Terraform plan •Create Dependency Graph •Can be saved Terraform apply •Traverses dependency graph Depends On •Dependencies can be manually specified but that's not necessary 

When to Use Terraform When to Use ARM? – Speed ARM Templates o directly talk to the ressource manager o Can parallelize work Terraform o In most cases slower o No parallelism, just for depdendency traversal 

When to Use Terraform When to Use ARM? - Features ARM Templates o Always has the latest Azure features (previews) o Lacks Code management fatures and modularization o Manual dependency management o Especially annoying since you sometimes run into limitations e.g V-NET Terraform o Depends on the Azure SDK for GO! o More features towards code modularization and dynamic code functions o Automatic dependency management o No history tracking in Azure 

When to Use Terraform When to Use ARM? – Use Cases Use Case Go With Need newest features? ARM Deployment times are critical? ARM Infrastructure is quite simple? ARM Infrastructure is complex? Terraform Hybrid Cloud capablitiy is important? Terraform 

Contact: [email protected] Thank you for attending! Stay Healthy!