alex magnay - azure infrastructure as code with hashicorp terraform
TRANSCRIPT
@Ale
xM
ags
Microsoft AzureInfrastructure as Code
and Hashicorp Terraform
@alexmags #winops
@Ale
xM
ags
This talk
• DIY on premises vs Infrastructure as a Service
• Hashicorp Terraform
• Terraform Workflow
• Demo
• Operations, Security, Development teams
• Microsoft & Hashicorp News
@Ale
xM
ags
@Ale
xM
ags
https://azure.microsoft.com/en-gb/regions/
@Ale
xM
ags
@Ale
xM
ags
Microsoft’s Backbone WAN
@Ale
xM
ags
https://www.atomia.com/2016/11/24/comparing-the-geographical-coverage-of-aws-azure-and-google-cloud/
@Ale
xM
ags
“We’re expanding!”
@Ale
xM
ags
Brexit
@Ale
xM
ags
Managing Azure
@Ale
xM
ags
@Ale
xM
ags
What is Terraform?
https://www.terraform.io/docs/providers/azurerm/
@Ale
xM
ags
What is Terraform?• A way to manage Azure
• Domain Specific Language
• Declarative
• Easy to read and write
• Drives the Azure API
• Runs on Windows & Linux
• Open Source
• Free
• Yes, seriously, it’s free
@Ale
xM
ags
What is Terraform NOT?• Not OS configuration management
• Not an abstraction layer for any cloud
@Ale
xM
ags
https://www.terraform.io/docs/providers - September 2017
AlicloudArchiveArukasAWSBitbucketCenturyLinkCloudChefCirconusCloudflareCloudStackCobblerConsulDatadogDigitalOceanDNSDNSMadeEasyDNSimpleDockerDynExternalFastly
GitHubGitlabGoogle CloudGrafanaHerokuHTTPIcinga2IgnitionInfluxDBKubernetesLibratoLocalLogentriesMailgunNew RelicNomadNS1Microsoft AzureMySQL1&1Oracle Public Cloud
OpenStackOpsGenieOVHPacketPagerDutyPostgreSQLPowerDNSProfitBricksRabbitMQRancherRandomSpotinstTemplateTerraformTerraform EnterpriseTLSTritonUltraDNSVaultVMware vCloud DirectorVMware vSphere
@Ale
xM
ags
Resource Groups
App Service (web apps)
App Insights
Content Delivery Network
Containers
CosmosDB (Document DB)
DNS records
Event Hubs
Key vault
Event Hub
Virtual Network Resources
Load Balancers
Managed Disk
Redis cache
Azure Search
ServiceBus
Azure SQL
Storage
ARM templates
Virtual Machines
https://www.terraform.io/docs/providers/azurerm - September 2017
Terraform these Azure Resources
@Ale
xM
ags
https://www.terraform.io/docs/providers/azurerm/
@Ale
xM
ags
https://www.terraform.io/docs/providers/azurerm/
@Ale
xM
ags
Terraform Workflow
@Ale
xM
ags
Terraform Workflow
Edit CodeTerraform.exe
PlanTerraform.exe
Deploy
Execution Plan
@Ale
xM
ags
Terraform Workflow
Edit CodeTerraform
PlanTerraform.exe
Deploy
@Ale
xM
ags
Terraform Workflow
Edit CodeTerraform
PlanTerraform.exe
Deploy
Execution Plan
@Ale
xM
ags
Terraform Workflow
Edit CodeTerraform
PlanTerraform
Deploy
Execution Plan
@Ale
xM
ags
Terraform Workflow
Edit CodeTerraform
PlanTerraform
Deploy
Execution Plan
@Ale
xM
ags
Terraform Workflow
Edit Code
TerraformPlan
TerraformDeploy
@Ale
xM
ags
Terraform Workflow
Edit Code
TerraformPlan
TerraformDeploy
@Ale
xM
ags
Terraform Workflow
Edit Code
TerraformPlan
TerraformDeploy
TerraformDestroy
@Ale
xM
ags
Demo TimeShut up and prove it!
@Ale
xM
ags
Terraform For Operations
• Deploy, change, manage IaaS (any cloud!)
• With source control you can roll back to previous state
• Delegate dev environments to dev teams
• Give your execution plan to someone else to apply out of hours
@Ale
xM
ags
Terraform For Security
• Enforce configuration
• Git commit history - See WHO changed WHAT and WHY
• Delegate Azure access to a scheduler (Jenkins/Teamcity)
• Security concerns – long lived API access keys with privileged access• Don’t store keys in code or source control
• Don’t store keys in config files in default locations
• Don’t store keys in user or machine environment variables
• Use short key expiry times (1 hour)
@Ale
xM
ags
Avoid long lived API access keys
https://www.terraform.io/docs/providers/azurerm/index.html
@Ale
xM
ags
Plain text keys in default locations unsafe
http://theburningmonk.com/2017/07/slides-for-my-serverless-security-talk (65)
@Ale
xM
ags
Terraform For Developers
Ops Terraform
• Resource groups
• vNets
• Subnets
• VPNs
• Shared infra services
• Security groups
• Ops state file
Dev Terraform
• Read only Ops state file
• Dev VMs and Apps
• Dev state file
@Ale
xM
ags
Terraform For Developers
Ops Resource Group Dev Resource Group
@Ale
xM
ags
Terraform For Developers
Ops Resource Group Dev Resource Group
@Ale
xM
ags
Windows PowerShellCopyright (C) 2016 Microsoft Corporation. All rights reserved.
PS H:\> cd MyEnvironment
PS H:\MyEnvironment\> terraform apply
PS H:\MyEnvironment\> terraform destroy
@Ale
xM
ags
Terraform For Your Budget
• Terraform is open source and free
• Tear up & tear down easily – only pay when required
• Let terraform clean up. Avoid wasteful cruft
• Don’t write your own cloud infra management tooling!
@Ale
xM
ags
Why Now?
@Ale
xM
ags
Microsoft Hashicorp
@Ale
xM
ags
March 2016"HashiCorp has set a high standard for infrastructure automation across public and private clouds.
We're excited that HashiCorp tools now fully support managing Microsoft Azure resources, and look forward to our enterprise customers leveraging these tools to improve their operator workflows across large teams and global infrastructure.“ Corey Sanders, Director of Program Management, Azure, Microsoft Corp.
http://www.marketwired.com/press-release/hashicorp-announces-full-support-for-microsoft-azure-across-its-products-2108249.htm
@Ale
xM
ags
https://www.hashicorp.com/blog/azure-resource-manager-support-for-packer-and-terraform/
@Ale
xM
ags
Microsoft Channel 9
@Ale
xM
ags
August 2017
“I am excited to announce that we are greatly increasing our investment in Terraform, partnering closely with HashiCorp, a well-known voice in the DevOps and cloud infrastructure management space.”
Corey Sanders, Director of Program Management, Azure, Microsoft Corp.
HashiCorp, a leader in cloud infrastructure automation, today announced a multi-year collaboration with Microsoft to deepen support for the provisioning of Microsoft Azure cloud services with HashiCorp Terraform.http://www.marketwired.com/press-release/hashicorp-extend-work-with-microsoft-multi-year-collaboration-that-enables-hashicorp-2230675.htm
@Ale
xM
ags
September 2017
https://azure.microsoft.com/en-us/blog/more-and-more-fun-with-terraform-on-azure https://cloudplatform.googleblog.com/2017/09/HashiCorp-and-Google-expand-collaboration-easing-secret-and-infrastructure-management.html
@Ale
xM
ags
Takeaways & Tips From the Field
• Don’t mix manual deploy and Terraform
• Start simple and build up iteratively
• Establish a resource naming convention quickly
• Tag everything ‘deployed_by=terraform’
• Use comments liberally
• Use modules, variablise everything, set sensible defaults
• Use remote backend/remote state file
• Ops need to learn source control tools (Git)
• Stay safe: Avoid long lived API access keys
@Ale
xM
ags
Resources
terraform.io/docs
GitHub Hashicorp Terraform examplesgithub.com/hashicorp/terraform/tree/master/examples
TerraformBook.com
meetup.com/London-HashiCorp-User-Group
@Ale
xM
ags
Go forth and Terraform deploy!