Heutzutage schreibt man nicht nur Applikationen mit Code. Dank der Cloud wird die Konfiguration von Infrastruktur wie virtuellen Maschinen oder Netzwerken in Code definiert und automatisiert ausgeliefert. Man spricht von Infrastructure as Code, kurz: IAC. Für Infrastructure as Code auf Azure gibt es viele tools wie Ansible, Puppet, Chef, etc. Zwei Lösungen stechen durch Ihren unterschiedlichen Ansatz heraus - Die Azure Resource Manager Templates (ARM) als Microsoft-native Lösung, immer auf dem neusten Stand, aber an Azure gebunden. Auf der anderen Seite Terraform von HashiCorp mit einer deskriptiven Sprache als Grundlage, dafür weniger Features im Security-Bereich. Für einen Grosskunden haben wir die beiden Technologien verglichen. Die Resultate zeigen wir in dieser Session mit Livedemos auf.
6. What is IaC
“Infrastructure as code (IaC) is the process of managing and provisioning computer data centers
through machine-readable definition files, rather than physical hardware configuration or interactive
configuration tools” – Wikipedia
7. Why is IaC cool?
• Provides consistency across all deployments and stages
• Version control
• Faster deployments and recovery
• Just in time deployments
• Documentation is already included to a certain degree
8. But IaC is not the solution for everything…
• Change Management still needs to be done
• Configuration management
• Apply IAM inside the Infastructure / Plattform / Service
• Automated validation
11. Terraform
• Declarative language
• Tries to be cloud independent
• Dependencies evaluated automatically based on a graph
• Tracks cloud resources inside a state file (.tf.state)
• Contains sensible data
• Lacks security features
Agenda
• Code ☺
• Plan feature
12. Terraform and Azure
• Partnership with Microsoft
• Renewed Jun 2019
• Based on „azure sdk for go”
• Available in Azure Cloud Shell
13. Terraform will perform the following actions:
~ azurerm_cosmosdb_account.db
consistency_policy.0.max_interval_in_seconds: "10" => "20"
Plan: 0 to add, 1 to change, 0 to destroy.
Terraform - Plans
• Unique test / plan feature
• Check syntax
• Build dependency graph
• Base for validation
14. Terraform will perform the following actions:
-/+ azurerm_cosmosdb_account.db (new resource required)
id: "/xxx/cosmosdb-0" => <computed> (forces new resource)
name: "cosmosdb-0" => "cosmosdb-1" (forces new resource)
read_endpoints.#: "1" => <computed>
resource_group_name: "xxx" => "tvd-azuredays-resourcegroup-0"
secondary_master_key :<sensitive> => <computed> (attribute changed)
Plan: 1 to add, 0 to change, 1 to destroy.
Terraform - Plans
16. ARM Templates
• Microsoft native IaC solution
• Declarative templates written in JSON format
• Azure Cloud and Azure Stack only
• Generate ARM templates from the Azure Portal for any resource
• Manual dependency handling
• Great integration with other Azure services (e.g. KeyVault, StorageAccounts)
17. ARM Templates and the Azure Resource
Manager
• Describe infrastructure inside JSON file
• Deployment possible in many different languages
(PowerShell, Bash, .NET, Ruby, Python, JavaScript or via REST API)
18. ARM Templates and the Azure Resource
Manager
• Resource Manager is the core component for all deployments
• Resource Manager takes care of
• Provisioning and configuring
• Parallelizing the deployment
• Validating the resources
19. …
"administratorLoginPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/<subscription-id>/resourceGroups/examplegroup/
providers/Microsoft.KeyVault/vaults/<vault-name>"
},
"secretName": "examplesecret"
}
}
ARM Templates – Special Features – Key Vault
23. Conclusion – ARM vs. Terraform
Terraform
+ Plan feature
+ Dependency managment
- Statefile
- Security features
ARM
+ Microsoft native
+ Security features
- Plan feature
- Dependency managment
24. Conclusion - IaC
• Automate your deployment and recovery process
• Speed and simplicity
• Provides consistency across all deployments and stages
• Minimize risks
• Necessary in large environments