This document summarizes a presentation about using Terraform and Azure. The presentation introduces Infrastructure as Code and Terraform, shows how to manage Azure resources with Terraform, demonstrates the Terraform workflow, and discusses use cases for operations, security, and development teams. It also covers tips for using Terraform effectively and safely with Azure. Microsoft and Hashicorp have partnered to improve support for provisioning Azure services with Terraform.
3. @AlexMags
This talk
• DIY on premises vs Infrastructure as a Service
• Hashicorp Terraform
• Terraform Workflow
• Demo
• Operations, Security, Development teams
• Microsoft & Hashicorp News
14. @AlexMags
What is Terraform?
• A way to manage Azure
• Domain Specific Language
• Declarative
• Easy to read and write
• Drives the Azure API
• Runs on Windows & Linux
• Open Source
• Free
• Yes, seriously, it’s free
30. @AlexMags
Terraform For Operations
• Deploy, change, manage IaaS (any cloud!)
• With source control you can roll back to previous state
• Delegate dev environments to dev teams
• Give your execution plan to someone else to apply out
of hours
31. @AlexMags
Terraform For Security
• Enforce configuration
• Git commit history - See WHO changed WHAT and WHY
• Delegate Azure access to a scheduler (Jenkins/Teamcity)
• Security concerns – long lived API access keys with
privileged access
• Don’t store keys in code or source control
• Don’t store keys in config files in default locations
• Don’t store keys in user or machine environment variables
• Use short key expiry times (1 hour)
33. @AlexMags
Plain text keys in default
locations unsafe
http://theburningmonk.com/2017/07/slides-for-my-serverless-security-talk (65)
34. @AlexMags
Terraform For Developers
Ops Terraform
• Resource groups
• vNets
• Subnets
• VPNs
• Shared infra services
• Security groups
• Ops state file
Dev Terraform
• Read only Ops state file
• Dev VMs and Apps
• Dev state file
37. @AlexMags
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS H:> cd MyEnvironment
PS H:MyEnvironment> terraform apply
PS H:MyEnvironment> terraform destroy
38. @AlexMags
Terraform For Your Budget
• Terraform is open source and free
• Tear up & tear down easily – only pay when required
• Let terraform clean up. Avoid wasteful cruft
• Don’t write your own cloud infra management tooling!
41. @AlexMags
March 2016
"HashiCorp has set a high standard for
infrastructure automation across public and private
clouds.
We're excited that HashiCorp tools now fully
support managing Microsoft Azure resources, and
look forward to our enterprise customers
leveraging these tools to improve their operator
workflows across large teams and global
infrastructure.“
Corey Sanders,
Director of Program Management, Azure, Microsoft Corp.
http://www.marketwired.com/press-release/hashicorp-announces-full-support-for-microsoft-azure-across-its-products-2108249.htm
44. @AlexMags
August 2017
“I am excited to announce that we are greatly increasing
our investment in Terraform, partnering closely with
HashiCorp, a well-known voice in the DevOps and cloud
infrastructure management space.”
Corey Sanders,
Director of Program Management, Azure, Microsoft Corp.
HashiCorp, a leader in cloud infrastructure automation,
today announced a multi-year collaboration with Microsoft
to deepen support for the provisioning of Microsoft Azure
cloud services with HashiCorp Terraform.
http://www.marketwired.com/press-release/hashicorp-extend-work-with-microsoft-multi-year-collaboration-that-enables-hashicorp-2230675.htm
46. @AlexMags
Takeaways & Tips From the Field
• Don’t mix manual deploy and Terraform
• Start simple and build up iteratively
• Establish a resource naming convention quickly
• Tag everything ‘deployed_by=terraform’
• Use comments liberally
• Use modules, variablise everything, set sensible defaults
• Use remote backend/remote state file
• Ops need to learn source control tools (Git)
• Stay safe: Avoid long lived API access keys
CTO at HentsuWe consult, deploy and manage public cloud for our customers.
Specialise in the Asset Management, hedge fund space.
High availability, high security, regulatory compliance. London and NY.
Come off big multi region azure deployment.
Used terraform
Last seen working at public cloud service provider Hentsu spinning up infra for new hedge funds and migrating hedge funds to public cloud
Background engineering teams, investment banking, asset managementregulatory compliance, high security, high availability, high tech
Industry cert certifications & scout computer badge!!
On prem vs IaaS
Terrafrom Why youre here. WHAT it is
Terraform workflow HOW to use it
Demo
Terraform for Dev, Sec, and Ops
News
Warning: Fetish for excruciating PowerPoint transitions.
CEO of Infor at AWS Summit 2014
Building a computer room/dc is kind of interesting
Keeping it running is a burden
Huge distraction from working on stuff the business or the customer actually cares about
Move dcs to public cloud and refocus on more important stuff that’s going to make company money/customers happy
Building and maintaining DCs does keep you busy, doesn't make you valuable
Azure gets you virtual datacentres, anywhere you want
Ireland, London, Cardiff, Frankfurt, Netherlands
Two more coming in France because Pourquoi Pas? Marseille, Paris “by end of year”. Sweden in 2018.
Put infra– where your staff are, where your customers are, or just where it happens to be cheaper to run at the moment
Terraform is great for configuring the software defined networking (virtual networks, subnets, routing tables) and then dropping VMs into them.
Azure datacenters are positioned on laylines of tremendous connectivityIf you’re an international organization , investigate if you can ditch your point to point international lease lines and use public cloud provider as a hub to link your offices and datacenters.
When comparing the cost of on prem vs public cloud
Now blend other pri cloud providers into the mix
Snapshot Nov 2016 Azure had nearly twice the number of locations as AWS
This is the news no ops guy wants to hear
worst has happened
product is wildly successful
With public cloud “you got this”
Scale up to bigger VMs, scale out to more, go global
Oh yes. I’m going there.
“I need the trading chain spun up in Frankfurt”
“I need Corp IT env for new Paris office”
Again: “youve got this”
DCs, file servers, VDI in Paris, some trading servers in Frankfurt.
Dragging things back to the point of talk
show a way to manage public cloud services
May I present Terraform (finally..)So what is it
Don’t panic!!
It looks like programming bit I promise, you’ve got this
I’ll come back to this
This is key
WHAT it should look like
Not HOW to get there
Think desired state configuration
Diff to imperative like powershell commands think order, not repeat
Azure VM Extentions, AWS user data 1st boot strips
Install chef/puppet agents or configure DSC on new VMs
Or enrole new system in config management (eg ansible inventory)
Provisioner local-exec
Terraform has a plugin system of “providers”.
AWS, Google Cloud, Microsoft AzureBitbucket and Github
Template, TLS, Random, HTTP
VMware vSphere -
Terraform has a plugin system of “providers”. The azure one can manage all this stuff so far
Virtual network resources
Vnet peering (spin up a new virtual data centre, wire it to existing virtual data centre (hub vnet with connection to on prem), configure all the routing
ARM Templates
Resource group
Virtual network (virtual DC)
1 subnet called subnet 1
Rg name lookup/cross reference “interpolation”
No messing with Azure object IDs or AWS ARNs
Type of resource – resource identifier – some propertyWest US is repeated
After WHAT, not the HOW we use terraform
Bust out your favourite editornew favourite Use editor with assistance for Hashicorp Language (intellisense)
I started on IntelliJ, Microsoft VScode also has HCL plugin now
Git support is also useful
Run terraform in PLAN modeReads the code it finds in current directoryCompares the code to your Azure subscription and works out differences
(It also tells you if you’ve got any errors in your code that would prevent it from running)
Produces a report of what WOULD change IF you ran this. 1) What resources would be added (Green) -example2) What resources would be modified (yellow) -example3) What resources would be removed (red) –example
Terraform in Deploy modeExecutes the plan and drives Azure API to make changes
VMs, SQL instances, security groups, vnets
But wait there’s more – checkout this transition…..
PowerPoint acrobatics ladies and gentlemenThis is a cycle Start small and build.
Drop in incremental changes
When you’re done with the environment – terraform destroy will tear down for you
stop the billing clock $$$
You can also hook scripts “destroy provisioners”Remove machine from monitoring, clean up AD and DNS records, remove from config management
Easy Tear up and tear down the latest version of the infra code – great for development environments. Easy reset.
!IF! terraform had a Graphical User Interface for Windows guys it might look like this
PLAN, APPLY, DESTORYIt’s command line toolI’ve laboured this point too much. Moving on…
Infrastructure as code - more consistent. Less manual errors and troubleshooting
Demo crazy dave. Undo changes
See WHAT changed and along with audit log you can see WHO changed it but no indication WHY. If changes are linked to git commit with reference to trouble ticket (JIRA/ServiceNow) which links to an APPROVED change request. Now the change control process becomes audit trail of WHO changed WHAT and WHY
You can build a release pipeline where you don’t have change access but the scheduler does. Git commit, terraform validate,
Security concerns: Long lived API keys. Give the CI system permission to push changes on behalf of staff.
Get temporary creds or use a remote secrets store (hashicorp vault, azure vault) and then rotate the creds regularly
July Burning monk. Exploiting weak passwords on public package repos. Added dependencies to packages that read creds when installed.AWS client CLI ini file.
Don’t store keys on unmanaged devices (random bring your own macbook). Changes pushed from a hardened admin/management machineLeast rights privilege.
Dev 3 things
Safely partition access to resources, allowing development freedom to manage own deployments/labs
Azure Resource groups PERFECT for delegating access
Resource Tags for tracking and billing
Make this slide build out?
Azure Resource groups PERFECT for delegating access. Access to production/shared services resource groups can be ring fenced
Resource Tags for tracking and billing
This easy for developer to spin up environments in their resource group
If developers can spin up & tear down their own environments develops a culture of experimentation
Terraform (because it's code) fits well in a continuous delivery pipeline
All these things save you money
There’s some love going on between MS and HC
March 2016 press announcements Microsoft and Hashicorp announced full support for AzureFrom that time on Azure support started getting much better
March 2016 hashicorp blog
Around Build2017 MayTerraform has momentum
Microsoft is embracing terraform and collaborating with Hashicorp to ensure Terraform support for Azure keeps pace with new shiny stuff on Azure
August 2017Multi-year collaborationOpensource Terraform definitely a safe bet
Hashicorp Terraform is backed by the public cloud vendors and here to stayDefacto standard
Modules can enforce naming and tagging conventionsModules can enforce storage encryption