Alex Magnay - Azure Infrastructure as Code with Hashicorp Terraform
•Download as PPTX, PDF•
4 likes•1,787 views
This document summarizes a presentation about using Terraform and Azure. The presentation introduces Infrastructure as Code and Terraform, shows how to manage Azure resources with Terraform, demonstrates the Terraform workflow, and discusses use cases for operations, security, and development teams. It also covers tips for using Terraform effectively and safely with Azure. Microsoft and Hashicorp have partnered to improve support for provisioning Azure services with Terraform.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (14)
Similar to Alex Magnay - Azure Infrastructure as Code with Hashicorp Terraform
Similar to Alex Magnay - Azure Infrastructure as Code with Hashicorp Terraform (20)
Recently uploaded
Recently uploaded (20)
Alex Magnay - Azure Infrastructure as Code with Hashicorp Terraform
- 1. @AlexMags Microsoft Azure Infrastructure as Code and Hashicorp Terraform @alexmags #winops
- 2. @AlexMags Alex Magnay Twitter: @alexmags Email: alex@alexmags.com
- 3. @AlexMags This talk • DIY on premises vs Infrastructure as a Service • Hashicorp Terraform • Terraform Workflow • Demo • Operations, Security, Development teams • Microsoft & Hashicorp News
- 4. @AlexMags
- 6. @AlexMags
- 10. @AlexMags Brexit
- 12. @AlexMags
- 14. @AlexMags What is Terraform? • A way to manage Azure • Domain Specific Language • Declarative • Easy to read and write • Drives the Azure API • Runs on Windows & Linux • Open Source • Free • Yes, seriously, it’s free
- 15. @AlexMags What is Terraform NOT? • Not OS configuration management • Not an abstraction layer for any cloud
- 16. @AlexMags https://www.terraform.io/docs/providers - September 2017 Alicloud Archive Arukas AWS Bitbucket CenturyLinkCloud Chef Circonus Cloudflare CloudStack Cobbler Consul Datadog DigitalOcean DNS DNSMadeEasy DNSimple Docker Dyn External Fastly GitHub Gitlab Google Cloud Grafana Heroku HTTP Icinga2 Ignition InfluxDB Kubernetes Librato Local Logentries Mailgun New Relic Nomad NS1 Microsoft Azure MySQL 1&1 Oracle Public Cloud OpenStack OpsGenie OVH Packet PagerDuty PostgreSQL PowerDNS ProfitBricks RabbitMQ Rancher Random Spotinst Template Terraform Terraform Enterprise TLS Triton UltraDNS Vault VMware vCloud Director VMware vSphere
- 17. @AlexMags Resource Groups App Service (web apps) App Insights Content Delivery Network Containers CosmosDB (Document DB) DNS records Event Hubs Key vault Event Hub Virtual Network Resources Load Balancers Managed Disk Redis cache Azure Search ServiceBus Azure SQL Storage ARM templates Virtual Machines https://www.terraform.io/docs/providers/azurerm - September 2017 Terraform these Azure Resources
- 21. @AlexMags Terraform Workflow Edit Code Terraform.exe Plan Terraform.exe Deploy Execution Plan
- 29. @AlexMags Demo Time Shut up and prove it!
- 30. @AlexMags Terraform For Operations • Deploy, change, manage IaaS (any cloud!) • With source control you can roll back to previous state • Delegate dev environments to dev teams • Give your execution plan to someone else to apply out of hours
- 31. @AlexMags Terraform For Security • Enforce configuration • Git commit history - See WHO changed WHAT and WHY • Delegate Azure access to a scheduler (Jenkins/Teamcity) • Security concerns – long lived API access keys with privileged access • Don’t store keys in code or source control • Don’t store keys in config files in default locations • Don’t store keys in user or machine environment variables • Use short key expiry times (1 hour)
- 32. @AlexMags Avoid long lived API access keys https://www.terraform.io/docs/providers/azurerm/index.html
- 33. @AlexMags Plain text keys in default locations unsafe http://theburningmonk.com/2017/07/slides-for-my-serverless-security-talk (65)
- 34. @AlexMags Terraform For Developers Ops Terraform • Resource groups • vNets • Subnets • VPNs • Shared infra services • Security groups • Ops state file Dev Terraform • Read only Ops state file • Dev VMs and Apps • Dev state file
- 35. @AlexMags Terraform For Developers Ops Resource Group Dev Resource Group
- 36. @AlexMags Terraform For Developers Ops Resource Group Dev Resource Group
- 37. @AlexMags Windows PowerShell Copyright (C) 2016 Microsoft Corporation. All rights reserved. PS H:> cd MyEnvironment PS H:MyEnvironment> terraform apply PS H:MyEnvironment> terraform destroy
- 38. @AlexMags Terraform For Your Budget • Terraform is open source and free • Tear up & tear down easily – only pay when required • Let terraform clean up. Avoid wasteful cruft • Don’t write your own cloud infra management tooling!
- 41. @AlexMags March 2016 "HashiCorp has set a high standard for infrastructure automation across public and private clouds. We're excited that HashiCorp tools now fully support managing Microsoft Azure resources, and look forward to our enterprise customers leveraging these tools to improve their operator workflows across large teams and global infrastructure.“ Corey Sanders, Director of Program Management, Azure, Microsoft Corp. http://www.marketwired.com/press-release/hashicorp-announces-full-support-for-microsoft-azure-across-its-products-2108249.htm
- 42. @AlexMags https://www.hashicorp.com/blog/azure-resource-manager-support-for-packer-and-terraform/
- 44. @AlexMags August 2017 “I am excited to announce that we are greatly increasing our investment in Terraform, partnering closely with HashiCorp, a well-known voice in the DevOps and cloud infrastructure management space.” Corey Sanders, Director of Program Management, Azure, Microsoft Corp. HashiCorp, a leader in cloud infrastructure automation, today announced a multi-year collaboration with Microsoft to deepen support for the provisioning of Microsoft Azure cloud services with HashiCorp Terraform. http://www.marketwired.com/press-release/hashicorp-extend-work-with-microsoft-multi-year-collaboration-that-enables-hashicorp-2230675.htm
- 46. @AlexMags Takeaways & Tips From the Field • Don’t mix manual deploy and Terraform • Start simple and build up iteratively • Establish a resource naming convention quickly • Tag everything ‘deployed_by=terraform’ • Use comments liberally • Use modules, variablise everything, set sensible defaults • Use remote backend/remote state file • Ops need to learn source control tools (Git) • Stay safe: Avoid long lived API access keys
- 47. @AlexMags Resources terraform.io/docs GitHub Hashicorp Terraform examples github.com/hashicorp/terraform/tree/master/examples TerraformBook.com meetup.com/London-HashiCorp-User-Group
- 48. @AlexMags Go forth and Terraform deploy!
- 49. @AlexMags Thanks! Questions? Alex Magnay (hire me!) Twitter: @alexmags Email:alex@alexmags.com
Editor's Notes
- CTO at Hentsu We consult, deploy and manage public cloud for our customers. Specialise in the Asset Management, hedge fund space. High availability, high security, regulatory compliance. London and NY. Come off big multi region azure deployment. Used terraform
- Last seen working at public cloud service provider Hentsu spinning up infra for new hedge funds and migrating hedge funds to public cloud Background engineering teams, investment banking, asset management regulatory compliance, high security, high availability, high tech Industry cert certifications & scout computer badge!!
- On prem vs IaaS Terrafrom Why youre here. WHAT it is Terraform workflow HOW to use it Demo Terraform for Dev, Sec, and Ops News Warning: Fetish for excruciating PowerPoint transitions.
- CEO of Infor at AWS Summit 2014 Building a computer room/dc is kind of interesting Keeping it running is a burden Huge distraction from working on stuff the business or the customer actually cares about Move dcs to public cloud and refocus on more important stuff that’s going to make company money/customers happy Building and maintaining DCs does keep you busy, doesn't make you valuable
- Azure gets you virtual datacentres, anywhere you want
- Ireland, London, Cardiff, Frankfurt, Netherlands Two more coming in France because Pourquoi Pas? Marseille, Paris “by end of year”. Sweden in 2018. Put infra– where your staff are, where your customers are, or just where it happens to be cheaper to run at the moment Terraform is great for configuring the software defined networking (virtual networks, subnets, routing tables) and then dropping VMs into them.
- Azure datacenters are positioned on laylines of tremendous connectivity If you’re an international organization , investigate if you can ditch your point to point international lease lines and use public cloud provider as a hub to link your offices and datacenters. When comparing the cost of on prem vs public cloud
- Now blend other pri cloud providers into the mix Snapshot Nov 2016 Azure had nearly twice the number of locations as AWS
- This is the news no ops guy wants to hear worst has happened product is wildly successful With public cloud “you got this” Scale up to bigger VMs, scale out to more, go global
- Oh yes. I’m going there. “I need the trading chain spun up in Frankfurt” “I need Corp IT env for new Paris office” Again: “youve got this” DCs, file servers, VDI in Paris, some trading servers in Frankfurt.
- Dragging things back to the point of talk show a way to manage public cloud services
- May I present Terraform (finally..) So what is it
- Don’t panic!! It looks like programming bit I promise, you’ve got this I’ll come back to this
- This is key WHAT it should look like Not HOW to get there Think desired state configuration Diff to imperative like powershell commands think order, not repeat
- Azure VM Extentions, AWS user data 1st boot strips Install chef/puppet agents or configure DSC on new VMs Or enrole new system in config management (eg ansible inventory) Provisioner local-exec
- Terraform has a plugin system of “providers”. AWS, Google Cloud, Microsoft Azure Bitbucket and Github Template, TLS, Random, HTTP VMware vSphere -
- Terraform has a plugin system of “providers”. The azure one can manage all this stuff so far Virtual network resources Vnet peering (spin up a new virtual data centre, wire it to existing virtual data centre (hub vnet with connection to on prem), configure all the routing ARM Templates
- Resource group Virtual network (virtual DC) 1 subnet called subnet 1
- Rg name lookup/cross reference “interpolation” No messing with Azure object IDs or AWS ARNs Type of resource – resource identifier – some property West US is repeated
- After WHAT, not the HOW we use terraform
- Bust out your favourite editor new favourite Use editor with assistance for Hashicorp Language (intellisense) I started on IntelliJ, Microsoft VScode also has HCL plugin now Git support is also useful
- Run terraform in PLAN mode Reads the code it finds in current directory Compares the code to your Azure subscription and works out differences (It also tells you if you’ve got any errors in your code that would prevent it from running)
- Produces a report of what WOULD change IF you ran this. 1) What resources would be added (Green) -example 2) What resources would be modified (yellow) -example 3) What resources would be removed (red) –example
- Terraform in Deploy mode Executes the plan and drives Azure API to make changes
- VMs, SQL instances, security groups, vnets But wait there’s more – checkout this transition…..
- PowerPoint acrobatics ladies and gentlemen This is a cycle Start small and build. Drop in incremental changes
- When you’re done with the environment – terraform destroy will tear down for you stop the billing clock $$$ You can also hook scripts “destroy provisioners” Remove machine from monitoring, clean up AD and DNS records, remove from config management Easy Tear up and tear down the latest version of the infra code – great for development environments. Easy reset.
- !IF! terraform had a Graphical User Interface for Windows guys it might look like this PLAN, APPLY, DESTORY It’s command line tool I’ve laboured this point too much. Moving on…
- Infrastructure as code - more consistent. Less manual errors and troubleshooting
- Demo crazy dave. Undo changes See WHAT changed and along with audit log you can see WHO changed it but no indication WHY. If changes are linked to git commit with reference to trouble ticket (JIRA/ServiceNow) which links to an APPROVED change request. Now the change control process becomes audit trail of WHO changed WHAT and WHY You can build a release pipeline where you don’t have change access but the scheduler does. Git commit, terraform validate, Security concerns: Long lived API keys. Give the CI system permission to push changes on behalf of staff.
- Get temporary creds or use a remote secrets store (hashicorp vault, azure vault) and then rotate the creds regularly
- July Burning monk. Exploiting weak passwords on public package repos. Added dependencies to packages that read creds when installed. AWS client CLI ini file. Don’t store keys on unmanaged devices (random bring your own macbook). Changes pushed from a hardened admin/management machine Least rights privilege.
- Dev 3 things Safely partition access to resources, allowing development freedom to manage own deployments/labs
- Azure Resource groups PERFECT for delegating access Resource Tags for tracking and billing Make this slide build out?
- Azure Resource groups PERFECT for delegating access. Access to production/shared services resource groups can be ring fenced Resource Tags for tracking and billing
- This easy for developer to spin up environments in their resource group If developers can spin up & tear down their own environments develops a culture of experimentation Terraform (because it's code) fits well in a continuous delivery pipeline
- All these things save you money
- There’s some love going on between MS and HC
- March 2016 press announcements Microsoft and Hashicorp announced full support for Azure From that time on Azure support started getting much better
- March 2016 hashicorp blog
- Around Build2017 May Terraform has momentum Microsoft is embracing terraform and collaborating with Hashicorp to ensure Terraform support for Azure keeps pace with new shiny stuff on Azure
- August 2017 Multi-year collaboration Opensource Terraform definitely a safe bet
- Hashicorp Terraform is backed by the public cloud vendors and here to stay Defacto standard
- Modules can enforce naming and tagging conventions Modules can enforce storage encryption