Alex Magnay - Azure Infrastructure as Code with Hashicorp Terraform

@Ale

xM

ags

Microsoft AzureInfrastructure as Code

and Hashicorp Terraform

@alexmags #winops

@Ale

xM

ags

Alex Magnay

Twitter: @alexmags

Email: alex@alexmags.com

@Ale

xM

ags

This talk

• DIY on premises vs Infrastructure as a Service

• Hashicorp Terraform

• Terraform Workflow

• Demo

• Operations, Security, Development teams

• Microsoft & Hashicorp News

@Ale

xM

ags

@Ale

xM

ags

https://azure.microsoft.com/en-gb/regions/

@Ale

xM

ags

@Ale

xM

ags

Microsoft’s Backbone WAN

@Ale

xM

ags

https://www.atomia.com/2016/11/24/comparing-the-geographical-coverage-of-aws-azure-and-google-cloud/

@Ale

xM

ags

“We’re expanding!”

@Ale

xM

ags

Brexit

@Ale

xM

ags

Managing Azure

@Ale

xM

ags

@Ale

xM

ags

What is Terraform?

https://www.terraform.io/docs/providers/azurerm/

@Ale

xM

ags

What is Terraform?• A way to manage Azure

• Domain Specific Language

• Declarative

• Easy to read and write

• Drives the Azure API

• Runs on Windows & Linux

• Open Source

• Free

• Yes, seriously, it’s free

@Ale

xM

ags

What is Terraform NOT?• Not OS configuration management

• Not an abstraction layer for any cloud

@Ale

xM

ags

https://www.terraform.io/docs/providers - September 2017

AlicloudArchiveArukasAWSBitbucketCenturyLinkCloudChefCirconusCloudflareCloudStackCobblerConsulDatadogDigitalOceanDNSDNSMadeEasyDNSimpleDockerDynExternalFastly

GitHubGitlabGoogle CloudGrafanaHerokuHTTPIcinga2IgnitionInfluxDBKubernetesLibratoLocalLogentriesMailgunNew RelicNomadNS1Microsoft AzureMySQL1&1Oracle Public Cloud

OpenStackOpsGenieOVHPacketPagerDutyPostgreSQLPowerDNSProfitBricksRabbitMQRancherRandomSpotinstTemplateTerraformTerraform EnterpriseTLSTritonUltraDNSVaultVMware vCloud DirectorVMware vSphere

@Ale

xM

ags

Resource Groups

App Service (web apps)

App Insights

Content Delivery Network

Containers

CosmosDB (Document DB)

DNS records

Event Hubs

Key vault

Event Hub

Virtual Network Resources

Load Balancers

Managed Disk

Redis cache

Azure Search

ServiceBus

Azure SQL

Storage

ARM templates

Virtual Machines

https://www.terraform.io/docs/providers/azurerm - September 2017

Terraform these Azure Resources

@Ale

xM

ags

https://www.terraform.io/docs/providers/azurerm/

@Ale

xM

ags

https://www.terraform.io/docs/providers/azurerm/

@Ale

xM

ags

Terraform Workflow

@Ale

xM

ags

Terraform Workflow

Edit CodeTerraform.exe

PlanTerraform.exe

Deploy

Execution Plan

@Ale

xM

ags

Terraform Workflow

Edit CodeTerraform

PlanTerraform.exe

Deploy

@Ale

xM

ags

Terraform Workflow

Edit CodeTerraform

PlanTerraform.exe

Deploy

Execution Plan

@Ale

xM

ags

Terraform Workflow

Edit CodeTerraform

PlanTerraform

Deploy

Execution Plan

@Ale

xM

ags

Terraform Workflow

Edit CodeTerraform

PlanTerraform

Deploy

Execution Plan

@Ale

xM

ags

Terraform Workflow

Edit Code

TerraformPlan

TerraformDeploy

@Ale

xM

ags

Terraform Workflow

Edit Code

TerraformPlan

TerraformDeploy

@Ale

xM

ags

Terraform Workflow

Edit Code

TerraformPlan

TerraformDeploy

TerraformDestroy

@Ale

xM

ags

Demo TimeShut up and prove it!

@Ale

xM

ags

Terraform For Operations

• Deploy, change, manage IaaS (any cloud!)

• With source control you can roll back to previous state

• Delegate dev environments to dev teams

• Give your execution plan to someone else to apply out of hours

@Ale

xM

ags

Terraform For Security

• Enforce configuration

• Git commit history - See WHO changed WHAT and WHY

• Delegate Azure access to a scheduler (Jenkins/Teamcity)

• Security concerns – long lived API access keys with privileged access• Don’t store keys in code or source control

• Don’t store keys in config files in default locations

• Don’t store keys in user or machine environment variables

• Use short key expiry times (1 hour)

@Ale

xM

ags

Avoid long lived API access keys

https://www.terraform.io/docs/providers/azurerm/index.html

@Ale

xM

ags

Plain text keys in default locations unsafe

http://theburningmonk.com/2017/07/slides-for-my-serverless-security-talk (65)

@Ale

xM

ags

Terraform For Developers

Ops Terraform

• Resource groups

• vNets

• Subnets

• VPNs

• Shared infra services

• Security groups

• Ops state file

Dev Terraform

• Read only Ops state file

• Dev VMs and Apps

• Dev state file

@Ale

xM

ags

Terraform For Developers

Ops Resource Group Dev Resource Group

@Ale

xM

ags

Terraform For Developers

Ops Resource Group Dev Resource Group

@Ale

xM

ags

Windows PowerShellCopyright (C) 2016 Microsoft Corporation. All rights reserved.

PS H:\> cd MyEnvironment

PS H:\MyEnvironment\> terraform apply

PS H:\MyEnvironment\> terraform destroy

@Ale

xM

ags

Terraform For Your Budget

• Terraform is open source and free

• Tear up & tear down easily – only pay when required

• Let terraform clean up. Avoid wasteful cruft

• Don’t write your own cloud infra management tooling!

@Ale

xM

ags

Why Now?

@Ale

xM

ags

Microsoft Hashicorp

@Ale

xM

ags

March 2016"HashiCorp has set a high standard for infrastructure automation across public and private clouds.

We're excited that HashiCorp tools now fully support managing Microsoft Azure resources, and look forward to our enterprise customers leveraging these tools to improve their operator workflows across large teams and global infrastructure.“ Corey Sanders, Director of Program Management, Azure, Microsoft Corp.

http://www.marketwired.com/press-release/hashicorp-announces-full-support-for-microsoft-azure-across-its-products-2108249.htm

@Ale

xM

ags

https://www.hashicorp.com/blog/azure-resource-manager-support-for-packer-and-terraform/

@Ale

xM

ags

Microsoft Channel 9

@Ale

xM

ags

August 2017

“I am excited to announce that we are greatly increasing our investment in Terraform, partnering closely with HashiCorp, a well-known voice in the DevOps and cloud infrastructure management space.”

Corey Sanders, Director of Program Management, Azure, Microsoft Corp.

HashiCorp, a leader in cloud infrastructure automation, today announced a multi-year collaboration with Microsoft to deepen support for the provisioning of Microsoft Azure cloud services with HashiCorp Terraform.http://www.marketwired.com/press-release/hashicorp-extend-work-with-microsoft-multi-year-collaboration-that-enables-hashicorp-2230675.htm

@Ale

xM

ags

September 2017

https://azure.microsoft.com/en-us/blog/more-and-more-fun-with-terraform-on-azure https://cloudplatform.googleblog.com/2017/09/HashiCorp-and-Google-expand-collaboration-easing-secret-and-infrastructure-management.html

@Ale

xM

ags

Takeaways & Tips From the Field

• Don’t mix manual deploy and Terraform

• Start simple and build up iteratively

• Establish a resource naming convention quickly

• Tag everything ‘deployed_by=terraform’

• Use comments liberally

• Use modules, variablise everything, set sensible defaults

• Use remote backend/remote state file

• Ops need to learn source control tools (Git)

• Stay safe: Avoid long lived API access keys

@Ale

xM

ags

Resources

terraform.io/docs

GitHub Hashicorp Terraform examplesgithub.com/hashicorp/terraform/tree/master/examples

TerraformBook.com

meetup.com/London-HashiCorp-User-Group

@Ale

xM

ags

Go forth and Terraform deploy!

@Ale

xM

ags

Thanks! Questions?

Alex Magnay (hire me!)

Twitter: @alexmags

Email:alex@alexmags.com