Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Chef as a One-Stop Solution on Microsoft Azure

We are using Chef as a One-Stop Solution on Microsoft Azure. Based on Azure DevOps as our CI/CD pipeline we are using Chef Cookbooks to provision infrastructure, deploy and configure software. We are doing compliance testing with Inspec too and are happily using Automate to represent the results.

  • Login to see the comments

  • Be the first to like this

Chef as a One-Stop Solution on Microsoft Azure

  1. 1. Chef as a One-Stop Solution on Microsoft Azure Karsten Mueller, IT-Architect
  2. 2. Some background • Company LichtBlick SE o LichtBlick is the leading provider of green electricity and green gas in Germany. Over one million people - the LichtBlicker - already rely on our forward-looking energy products. o 460 Employees, $780 million revenue in 2017 • LichtBlick IT Department (80 Employees) o „We strive to build the most automated and customer-focused platform for the energy business in Germany“ o Custom .NET Applications & Standard Software o Using Azure Cloud & On-Premises Datacenters
  3. 3. My part in the game • „Most of what architects have done traditionally should be done by developers, or by tools, or not at all.“ • “An architect’s value is inversely proportional to the number of decisions he or she makes.” [ Erik Doernenburg & Martin Fowler, Craft Conf 2016 ]
  4. 4. My part in the game • „Most of what architects have done traditionally should be done by developers, or by tools, or not at all.“ • “An architect’s value is inversely proportional to the number of decisions he or she makes.” [ Erik Doernenburg & Martin Fowler, Craft Conf 2016 ] • Roughly resulting in o Working in Teams to collaborate on Infrastructure Code o Providing some guidance
  5. 5. System Libraries Packages Middleware Application Operating System Cloud Infrastructure Cookbooks Our Approach Delivering Applications Profiles
  6. 6. Our Approach Delivering Applications • Custom Cookbooks (reusing Community Cookbooks) • Chef Server • Configuration data and Cookbooks • Custom InSpec Profiles • Chef Automate • Provides observability for all engineers • Azure DevOps as CI/CD Pipeline
  7. 7. Cookbooks • Deployment of Custom .NET Applications • Windows OS Customization (AD join, Anti-Malware, …) • Windows OS Hardening • Azure Ressource Provisioning using azure_mgmt resources from Azure SDK for Ruby
  8. 8. Compliance Checks • Compliance Checks • CIS profiles • Custom profiles • LichtBlick contributed to „dev-sec/windows-baseline“ • https://github.com/LichtBlick/windows-baseline • Observability
  9. 9. Compliance Checks – windows-baseline control 'windows-001' do title 'Ensure 'Enforce password history' is set to '24 or more password(s)'' desc 'This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. impact 1.0 tag 'windows': ['2012R2', '2016', '2019'] tag 'profile': ['Domain Controller', 'Member Server'] tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.1.1' tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.1.1' tag 'level': '1' tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration'] ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz- Modernisierung/UH_Windows_Server_2012.html' ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' We added references to BSI* „IT-Grundschutz“ *BSI = German Federal Office for Information Security
  10. 10. Provisioning - the good, the bad und the ugly
  11. 11. Provisioning - the good, the bad und the uglyg
  12. 12. Provisioning - the good, the bad und the ugly • Decision to provision Azure resources with Chef & Azure resource manager (ARM) • Used chef-provisioning-azurerm from Stuart Preston for a while • Developed custom Library Cookbook „azure-chef-deployment“ • based on gems „azure_mgmt_* Our „One Stop Solution“ • Separate Chef Roles are describing Azure resource provisioning and Application Deployment (in 2016) (in 2018) today
  13. 13. Provisioning Azure Resources with Chef Code Cookbooks Build Lint & Test Release Chef Zero Azure DevOps Azure Resources Ressource Group Network Application Virtual Machine Azure Keyvault Azure Ressource Manager Azure Active Directory ARM Template Secrets Authentication Chef Server Provisioning Role & Cookbook Private Agent
  14. 14. Provisioning Cookbook – Azure Resources Provisioning Role for Azure Resources Default Attributes default['tenant'] = 'a6238652-91a6-4d9a-90ga-3f16b12dc7c3' default['subscription'] = 'a2d596e5-2671-463g-96bd-ff487gdb6269' default['location'] = 'westeurope' default['resource_tags'] = {} default['arm_template_folder'] = Chef::Config[:file_cache_path] default['skip_validation'] = false Resources with specific attributes • Network • Network Security Group • Virtual Machine • Application Insights • Availability Set • Storage Account • User Assigned Identity • Key Vault • Service Bus • Azure Functions • Scale Set
  15. 15. Provisioning Cookbook – Azure Network Resource default['network'] = { resource_group: 'rg-sharedenv-dev-net', default_template_parameters: {}, subnets: [] } Scheme default_template_parameters: { virtual_network_name: 'vnet-eu2-157_0_0-20', virtual_network_address_prefix: '10.157.0.0/20', dns_servers: ['10.144.2.4', '10.144.2.5'] } subnets: [ { name: 'subnet-eu2-157_0_0-24-gendev', address_prefix: '10.157.0.0/24', nsg_name: 'nsg-subnet-eu2-157_0_0-24-gendev' } ]
  16. 16. Provisioning - Our Learnings so far • Using Chef Roles for Provisioning & Deployment is easy • Promoting changes over stages is still to be improved • Even a thin abstraction layer brings in dependencies • On ruby gems being the same version as in ChefDK • Interested in using our Provisioning Cookbook as OpenSource? • Just ping me: karsten.mueller@lichtblick.de, @karmueller
  17. 17. Provisioning – Q&A • Your Questions? • What kind of Cloud resources do you have to provision? oIaaS (Virtual Machines, Networks, …), PaaS Services oKubernetes as a Service o… • What approach are you using? oManually using the Web UI oProgrammatically using Provider specific API oTerraform o…
  18. 18. Collaborate on Code

×