Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

TerraformとAzureを組み合わせて使うときの勘所

907 views

Published on

TerraformとAzureを組み合わせて使うときの勘所

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

TerraformとAzureを組み合わせて使うときの勘所

  1. 1. Azure Terraform Azure 2018 6 14 1 @MoriyamaKyohei
  2. 2. Azure !
  3. 3. !
  4. 4. !
  5. 5. Terraform x Azure 10 5 1. Terraform x Azure x ? 2. Terraform x Azure x ?state 3. Terraform x Azure x CredenDal 4. Terraform x CI/CD Tool x MSI x Azure
  6. 6. Q. V Azure Resource “ ” A. Azure CLI
  7. 7. $ az login $ az account list-locaWons !
  8. 8. !
  9. 9. !
  10. 10. !
  11. 11. Q. State Azure A. Blob remoteState.X configuraZon file Azure
  12. 12. Terraform x State Terraform “State” “state” ”terraform.tfstate” local “state” plans state purpose > Terraform must store state about your managed infrastructure and configuration. This state is used by Terraform to map real world resources to your configuration, keep track of metadata, and to improve performance for large infrastructures. > > This state is stored by default in a local file named "terraform.tfstate", but it can also be stored remotely, which works better in a team environment. > > Terraform uses this local state to create plans and make changes to your infrastructure. Prior to any operation, Terraform does a refresh to update the state with the real infrastructure. > > For more information on why Terraform requires state and why Terraform cannot function without state, please see the page state purpose. Hashicorp Terraform Documentation -
  13. 13. TerraformxStatepurpose > The primary motivation people have for using remote state files is in an attempt to improve using Terraform with teams. State files can easily result in conflicts when two people modify infrastructure at the same time. > > _Remote state_ is _the recommended solution_ to this problem. At the time of writing, remote state works well but there are still scenarios that can result in state conflicts. A priority for future versions of Terraform is to improve this. “Remote State” Terraform “Remote State” Terraform Hashicorp Terraform Documentation -
  14. 14. Blob(Object) Storage $ python –version && mkdir terraform-demo && cd terraform-demo && virtualenv env && source env/bin/ac]vate && pip install azure-cli $ az login To sign in, use a web browser to open the page h`ps://microsob.com/devicelogin and enter the code FYT6E7UGR to authen]cate. # -> browser login $ az group create -n terraform-demo -l japaneast $ az storage account create --name myterrastatestore --resource-group terraform-demo --loca]on japaneast --sku Standard_RAGRS --encryp]on blob $ az storage account keys list --account-name myterrastatestore --resource-group terraform-demo $ az storage container create --name statestorecont --account-key 7p+SUZrcBuE2rUoUAT1RdvcarapOLlI1Qcl1LHAhWzYuz+Gv/w+Znwd7mcSqnITrgMN5NKc296ZfSWw1K21x wQ== --account-name myterrastatestore OS/Security Terraform okay
  15. 15. Terraform blobStorage #------------------------------------------------------- # Statement of Resource Group #------------------------------------------------------- resource "azurerm_resource_group" "terraform-blob" { name = "terraform-state-blob” loca^on = "Japan East” } #------------------------------------------------------- # Crea^ng storage blob / account and container #------------------------------------------------------- resource "azurerm_storage_account" "terraform-blob" { name = "decodeterraformblob” resource_group_name = "${azurerm_resource_group.terraform-blob.name}” loca^on = "${azurerm_resource_group.terraform-blob.loca^on}” account_^er = "Standard” account_replica^on_type = ”RAGRS” } resource "azurerm_storage_container" "terraform-blob" { name = "terraformblobstatefile” resource_group_name = "${azurerm_resource_group.terraform-blob.name}” storage_account_name = "${azurerm_storage_account.terraform-blob.name}” container_access_type = "private” }
  16. 16. remoteState.tf terraform { backend "azurerm" { storage_account_name = "myterrastatestore" container_name = "statestorecont" key = "prod.terraform.tfstate" access_key = "lo1EmEyuHAaRfBXkASHXONB431foHh0CwXE3p3qwR0KTZp mrQsAbMdAD54I7Lae801Om7v0VVH5PCqfVc0+GOA==" } } ! Key
  17. 17. Q. terraform plan az login A. az login Auth Token Expire Time default RBAC Service principal Azure
  18. 18. TerraformxAzure Terraform Azure Provider Azure Azure CLI Auth Token Auth Token `$HOME/.azure/accessTokens.json` Auth Token Expire
  19. 19. RBAC RolebasedAccess Control AzureOn-Premises Sector 1 Sector 2 .. Region NA Region SA Division Mktg .. Division Sales .. Project 1 Project 2 .. Subscription per Sector Resource Group per Project Tags Region, Division, Project “Standard” VNet per Division in separate resource group Billing Tracked per Division Subnet On “standard” Vnet assigned to each Project Users,Groupsand PasswordSyncAcXve Directory ExpressRoute(s) IT Director’ Office Azure Active Directory Infrastructure Admins and Support Project Team Roles Network Admins Owners of SubscripXons VNet Contributors of “standard” VNet RGs Virtual Machine Contributors of Project RGs and “standard” VNet RGs Appropriate Role on Project RGs
  20. 20. AzureCLI RBAC Serviceprincipal azlogin OAuth web applica@on SP(azure cli control) ①Login ②Login Code ③Login Code ④Login Code+ User Creden@al ⑥Auth Token $HOME/.azure/accessToken.json ⑦Auth Token ⑤ Azure CLI Web Token Expired Time !
  21. 21. RBAC Serviceprincipal $# default 1 --years opYon $ az ad sp create-for-rbac AppId DisplayName Name Password Tenant ---------------------------- ------------------------- --------------------------- ------------------------- ---------------------- 15ac61e0-35a0-4969-97c9-1309420aabae azure-cli-2018-06-14-07-26-27 h]p://azure-cli-2018-06-14-07-26- 27 8d3f937e-6818-48fd-b36a-93e8fa9709f8 72f988bf-86f1-41af-91ab-2d7cd011db47 $ #subscripYon ID $ az account list Name CloudName SubscripYonId State IsDefault ---------------------------------- ----------- ------------------------------------ ------- ----------- Visual Studio Enterprise AzureCloud 2fasdfasd5a3-asdf65-4asdf-8bd9-d8asdfsdfdef8 Enabled Microsoa Azure XXXX AzureCloud casdfasdf-s7fd1-46dd-87asfdsfasdff375 Enabled True $# $ az login --service-principal -u h]p://azure-cli-2018-06-14-07-26-27 -p "8d3f937e-6818-48fd-b36a- 93e8fa9709f8" --tenant "72f988bf-86f1-41af-91ab-2d7cd011db47"
  22. 22. Credential tf [azureCred.<] variable subscripEon_id {} variable tenant_id {} variable client_id {} variable client_secret {} provider "azurerm" { subscripEon_id = " ${var. subscripEon_id} " tenant_id = " ${var. tenant_id} " client_id = " ${var.client_id} " #app id → client id client_secret = "${var.client_secret}" #Password → client secret } [terraform.<vars] subscripEon_id = ”xxxxxxxxx-xxxxxxxxxx-sdfasdfasf375" tenant_id = ”asdfasdfasdf-asdf-asdf-asdfasdfasdfasdf” client_id = “15ac61e0-35a0-4969-97c9-1309420aabae” client_secret = “8d3f937e-6818-48fd-b36a-93e8fa9709f8”
  23. 23. Q. terraform plan az login CI/CD token A. Azure
  24. 24. Token [ ] Azure Azure AD Auth Token Token Token Code [ ] Azure MSI Managed Service Identity
  25. 25. ManagedServiceIdenVty Tenant - Subscription Resource Group A Azure AcDve Directory Resource Group B MSI VM [Management VM] $az login --idenDty MSI endpoint Management VM Resource Group A Token Get Auth Token $terraform init/plan /apply/destroy VM
  26. 26. MSI →Marketplace TerraformVM Terraform/Azure CLI/MSI VM Extension VM
  27. 27. Deploy ! State blob ! MSI ! Terraform
  28. 28.
  29. 29. MSI Staging RG Production RG Management RG
  30. 30. Test and Staging Phase Maven Build and App Test Staging Deploy Production Deploy E2E Test Go to Production Phase
  31. 31. Let’s try AKS with Terraform!!
  32. 32. Terraform Azure oif(2018/06/14) Microsoft Microsoft M r Microsoft r r Microsoft i tr r r s r Microsoft c r c

×