2. Chef as a One-Stop Solution
on Microsoft Azure
Karsten Mueller, IT-Architect

3. Some background
• Company LichtBlick SE
o LichtBlick is the leading provider of green electricity and green
gas in Germany. Over one million people - the LichtBlicker -
already rely on our forward-looking energy products.
o 460 Employees, $780 million revenue in 2017
• LichtBlick IT Department (80 Employees)
o „We strive to build the most automated and customer-focused
platform for the energy business in Germany“
o Custom .NET Applications & Standard Software
o Using Azure Cloud & On-Premises Datacenters

4. My part in the game
• „Most of what architects have done traditionally should be done by
developers, or by tools, or not at all.“
• “An architect’s value is inversely proportional to the number of
decisions he or she makes.”
[ Erik Doernenburg & Martin Fowler, Craft Conf 2016 ]

5. My part in the game
• „Most of what architects have done traditionally should be done by
developers, or by tools, or not at all.“
• “An architect’s value is inversely proportional to the number of
decisions he or she makes.”
[ Erik Doernenburg & Martin Fowler, Craft Conf 2016 ]
• Roughly resulting in
o Working in Teams to collaborate on
Infrastructure Code
o Providing some guidance

6. System Libraries
Packages
Middleware
Application
Operating System
Cloud Infrastructure
Cookbooks
Our Approach Delivering Applications
Profiles

7. Our Approach Delivering Applications
• Custom Cookbooks (reusing Community Cookbooks)
• Chef Server
• Configuration data and Cookbooks
• Custom InSpec Profiles
• Chef Automate
• Provides observability for all engineers
• Azure DevOps as CI/CD Pipeline

8. Cookbooks
• Deployment of Custom .NET Applications
• Windows OS Customization (AD join, Anti-Malware, …)
• Windows OS Hardening
• Azure Ressource Provisioning using azure_mgmt resources from
Azure SDK for Ruby

9. Compliance Checks
• Compliance Checks
• CIS profiles
• Custom profiles
• LichtBlick contributed to „dev-sec/windows-baseline“
• https://github.com/LichtBlick/windows-baseline
• Observability

10. Compliance Checks – windows-baseline
control 'windows-001' do
title 'Ensure 'Enforce password history' is set to '24 or more password(s)''
desc 'This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password.
impact 1.0
tag 'windows': ['2012R2', '2016', '2019']
tag 'profile': ['Domain Controller', 'Member Server']
tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.1.1'
tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.1.1'
tag 'level': '1'
tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration']
ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html'
ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-
Modernisierung/UH_Windows_Server_2012.html'
ref 'Center for Internet Security', url: 'https://www.cisecurity.org/'
We added references to BSI* „IT-Grundschutz“
*BSI = German Federal Office for Information Security

11. Provisioning - the good, the bad und the ugly

12. Provisioning - the good, the bad und the uglyg

13. Provisioning - the good, the bad und the ugly
• Decision to provision Azure resources with Chef & Azure resource
manager (ARM)
• Used chef-provisioning-azurerm from Stuart Preston for a while
• Developed custom Library Cookbook „azure-chef-deployment“
• based on gems „azure_mgmt_*
Our „One Stop Solution“
• Separate Chef Roles are describing Azure resource provisioning and
Application Deployment
(in 2016)
(in 2018)
today

14. Provisioning Azure Resources with Chef
Code
Cookbooks
Build
Lint & Test
Release
Chef Zero
Azure DevOps
Azure Resources
Ressource Group
Network
Application
Virtual
Machine
Azure Keyvault
Azure Ressource Manager
Azure Active Directory
ARM Template
Secrets
Authentication
Chef Server
Provisioning
Role
&
Cookbook
Private Agent

15. Provisioning Cookbook – Azure Resources
Provisioning Role for Azure Resources
Default Attributes
default['tenant'] = 'a6238652-91a6-4d9a-90ga-3f16b12dc7c3'
default['subscription'] = 'a2d596e5-2671-463g-96bd-ff487gdb6269'
default['location'] = 'westeurope'
default['resource_tags'] = {}
default['arm_template_folder'] = Chef::Config[:file_cache_path]
default['skip_validation'] = false
Resources with specific attributes
• Network
• Network Security Group
• Virtual Machine
• Application Insights
• Availability Set
• Storage Account
• User Assigned Identity
• Key Vault
• Service Bus
• Azure Functions
• Scale Set

16. Provisioning Cookbook – Azure Network Resource
default['network'] = {
resource_group: 'rg-sharedenv-dev-net',
default_template_parameters: {},
subnets: []
}
Scheme
default_template_parameters: {
virtual_network_name: 'vnet-eu2-157_0_0-20',
virtual_network_address_prefix: '10.157.0.0/20',
dns_servers: ['10.144.2.4', '10.144.2.5']
}
subnets: [
{
name: 'subnet-eu2-157_0_0-24-gendev',
address_prefix: '10.157.0.0/24',
nsg_name: 'nsg-subnet-eu2-157_0_0-24-gendev'
}
]

17. Provisioning - Our Learnings so far
• Using Chef Roles for Provisioning & Deployment is easy
• Promoting changes over stages is still to be improved
• Even a thin abstraction layer brings in dependencies
• On ruby gems being the same version as in ChefDK
• Interested in using our Provisioning Cookbook as OpenSource?
• Just ping me: karsten.mueller@lichtblick.de, @karmueller

18. Provisioning – Q&A
• Your Questions?
• What kind of Cloud resources do you have to provision?
oIaaS (Virtual Machines, Networks, …), PaaS Services
oKubernetes as a Service
o…
• What approach are you using?
oManually using the Web UI
oProgrammatically using Provider specific API
oTerraform
o…

19. Collaborate on Code