Chef as a One-Stop Solution on Microsoft Azure
Download as PPTX, PDF0 likes79 views
Lichtblick, a leading provider of green energy in Germany, utilizes Microsoft Azure and Chef for its IT infrastructure and application provisioning. The IT department aims to automate processes and promote collaboration through custom cookbooks and CI/CD pipelines, highlighting a commitment to compliance and observability. The document details the evolution of their provisioning strategies and invites collaboration on open-source efforts related to their infrastructure code.
![My part in the game
• „Most of what architects have done traditionally should be done by
developers, or by tools, or not at all.“
• “An architect’s value is inversely proportional to the number of
decisions he or she makes.”
[ Erik Doernenburg & Martin Fowler, Craft Conf 2016 ]](https://image.slidesharecdn.com/karstenmueller-onestop-chefconf2019slideshare-190607101105/85/Chef-as-a-One-Stop-Solution-on-Microsoft-Azure-4-320.jpg)
![My part in the game
• „Most of what architects have done traditionally should be done by
developers, or by tools, or not at all.“
• “An architect’s value is inversely proportional to the number of
decisions he or she makes.”
[ Erik Doernenburg & Martin Fowler, Craft Conf 2016 ]
• Roughly resulting in
o Working in Teams to collaborate on
Infrastructure Code
o Providing some guidance](https://image.slidesharecdn.com/karstenmueller-onestop-chefconf2019slideshare-190607101105/85/Chef-as-a-One-Stop-Solution-on-Microsoft-Azure-5-320.jpg)
![Compliance Checks – windows-baseline
control 'windows-001' do
title 'Ensure 'Enforce password history' is set to '24 or more password(s)''
desc 'This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password.
impact 1.0
tag 'windows': ['2012R2', '2016', '2019']
tag 'profile': ['Domain Controller', 'Member Server']
tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.1.1'
tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.1.1'
tag 'level': '1'
tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration']
ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html'
ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-
Modernisierung/UH_Windows_Server_2012.html'
ref 'Center for Internet Security', url: 'https://www.cisecurity.org/'
We added references to BSI* „IT-Grundschutz“
*BSI = German Federal Office for Information Security](https://image.slidesharecdn.com/karstenmueller-onestop-chefconf2019slideshare-190607101105/85/Chef-as-a-One-Stop-Solution-on-Microsoft-Azure-10-320.jpg)
![Provisioning Cookbook – Azure Resources
Provisioning Role for Azure Resources
Default Attributes
default['tenant'] = 'a6238652-91a6-4d9a-90ga-3f16b12dc7c3'
default['subscription'] = 'a2d596e5-2671-463g-96bd-ff487gdb6269'
default['location'] = 'westeurope'
default['resource_tags'] = {}
default['arm_template_folder'] = Chef::Config[:file_cache_path]
default['skip_validation'] = false
Resources with specific attributes
• Network
• Network Security Group
• Virtual Machine
• Application Insights
• Availability Set
• Storage Account
• User Assigned Identity
• Key Vault
• Service Bus
• Azure Functions
• Scale Set](https://image.slidesharecdn.com/karstenmueller-onestop-chefconf2019slideshare-190607101105/85/Chef-as-a-One-Stop-Solution-on-Microsoft-Azure-15-320.jpg)
![Provisioning Cookbook – Azure Network Resource
default['network'] = {
resource_group: 'rg-sharedenv-dev-net',
default_template_parameters: {},
subnets: []
}
Scheme
default_template_parameters: {
virtual_network_name: 'vnet-eu2-157_0_0-20',
virtual_network_address_prefix: '10.157.0.0/20',
dns_servers: ['10.144.2.4', '10.144.2.5']
}
subnets: [
{
name: 'subnet-eu2-157_0_0-24-gendev',
address_prefix: '10.157.0.0/24',
nsg_name: 'nsg-subnet-eu2-157_0_0-24-gendev'
}
]](https://image.slidesharecdn.com/karstenmueller-onestop-chefconf2019slideshare-190607101105/85/Chef-as-a-One-Stop-Solution-on-Microsoft-Azure-16-320.jpg)
Chef as a One-Stop Solution on Microsoft Azure
- 2. Chef as a One-Stop Solution on Microsoft Azure Karsten Mueller, IT-Architect
- 3. Some background • Company LichtBlick SE o LichtBlick is the leading provider of green electricity and green gas in Germany. Over one million people - the LichtBlicker - already rely on our forward-looking energy products. o 460 Employees, $780 million revenue in 2017 • LichtBlick IT Department (80 Employees) o „We strive to build the most automated and customer-focused platform for the energy business in Germany“ o Custom .NET Applications & Standard Software o Using Azure Cloud & On-Premises Datacenters
- 4. My part in the game • „Most of what architects have done traditionally should be done by developers, or by tools, or not at all.“ • “An architect’s value is inversely proportional to the number of decisions he or she makes.” [ Erik Doernenburg & Martin Fowler, Craft Conf 2016 ]
- 5. My part in the game • „Most of what architects have done traditionally should be done by developers, or by tools, or not at all.“ • “An architect’s value is inversely proportional to the number of decisions he or she makes.” [ Erik Doernenburg & Martin Fowler, Craft Conf 2016 ] • Roughly resulting in o Working in Teams to collaborate on Infrastructure Code o Providing some guidance
- 6. System Libraries Packages Middleware Application Operating System Cloud Infrastructure Cookbooks Our Approach Delivering Applications Profiles
- 7. Our Approach Delivering Applications • Custom Cookbooks (reusing Community Cookbooks) • Chef Server • Configuration data and Cookbooks • Custom InSpec Profiles • Chef Automate • Provides observability for all engineers • Azure DevOps as CI/CD Pipeline
- 8. Cookbooks • Deployment of Custom .NET Applications • Windows OS Customization (AD join, Anti-Malware, …) • Windows OS Hardening • Azure Ressource Provisioning using azure_mgmt resources from Azure SDK for Ruby
- 9. Compliance Checks • Compliance Checks • CIS profiles • Custom profiles • LichtBlick contributed to „dev-sec/windows-baseline“ • https://github.com/LichtBlick/windows-baseline • Observability
- 10. Compliance Checks – windows-baseline control 'windows-001' do title 'Ensure 'Enforce password history' is set to '24 or more password(s)'' desc 'This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. impact 1.0 tag 'windows': ['2012R2', '2016', '2019'] tag 'profile': ['Domain Controller', 'Member Server'] tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.1.1' tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.1.1' tag 'level': '1' tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration'] ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz- Modernisierung/UH_Windows_Server_2012.html' ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' We added references to BSI* „IT-Grundschutz“ *BSI = German Federal Office for Information Security
- 11. Provisioning - the good, the bad und the ugly
- 12. Provisioning - the good, the bad und the uglyg
- 13. Provisioning - the good, the bad und the ugly • Decision to provision Azure resources with Chef & Azure resource manager (ARM) • Used chef-provisioning-azurerm from Stuart Preston for a while • Developed custom Library Cookbook „azure-chef-deployment“ • based on gems „azure_mgmt_* Our „One Stop Solution“ • Separate Chef Roles are describing Azure resource provisioning and Application Deployment (in 2016) (in 2018) today
- 14. Provisioning Azure Resources with Chef Code Cookbooks Build Lint & Test Release Chef Zero Azure DevOps Azure Resources Ressource Group Network Application Virtual Machine Azure Keyvault Azure Ressource Manager Azure Active Directory ARM Template Secrets Authentication Chef Server Provisioning Role & Cookbook Private Agent
- 15. Provisioning Cookbook – Azure Resources Provisioning Role for Azure Resources Default Attributes default['tenant'] = 'a6238652-91a6-4d9a-90ga-3f16b12dc7c3' default['subscription'] = 'a2d596e5-2671-463g-96bd-ff487gdb6269' default['location'] = 'westeurope' default['resource_tags'] = {} default['arm_template_folder'] = Chef::Config[:file_cache_path] default['skip_validation'] = false Resources with specific attributes • Network • Network Security Group • Virtual Machine • Application Insights • Availability Set • Storage Account • User Assigned Identity • Key Vault • Service Bus • Azure Functions • Scale Set
- 16. Provisioning Cookbook – Azure Network Resource default['network'] = { resource_group: 'rg-sharedenv-dev-net', default_template_parameters: {}, subnets: [] } Scheme default_template_parameters: { virtual_network_name: 'vnet-eu2-157_0_0-20', virtual_network_address_prefix: '10.157.0.0/20', dns_servers: ['10.144.2.4', '10.144.2.5'] } subnets: [ { name: 'subnet-eu2-157_0_0-24-gendev', address_prefix: '10.157.0.0/24', nsg_name: 'nsg-subnet-eu2-157_0_0-24-gendev' } ]
- 17. Provisioning - Our Learnings so far • Using Chef Roles for Provisioning & Deployment is easy • Promoting changes over stages is still to be improved • Even a thin abstraction layer brings in dependencies • On ruby gems being the same version as in ChefDK • Interested in using our Provisioning Cookbook as OpenSource? • Just ping me: karsten.mueller@lichtblick.de, @karmueller
- 18. Provisioning – Q&A • Your Questions? • What kind of Cloud resources do you have to provision? oIaaS (Virtual Machines, Networks, …), PaaS Services oKubernetes as a Service o… • What approach are you using? oManually using the Web UI oProgrammatically using Provider specific API oTerraform o…
Editor's Notes
- #3: Raise hands Actually using Public Cloud Provider? Like movies? Every time you spot a movie reference shout out lou
- #4: LichtBlick ~ „ray of hope“
- #5: The Matrix Reloaded (2003) Maybe: Drunken Master (1994)?
- #6: The Matrix Reloaded (2003) Maybe: Drunken Master (1994)?
- #12: Sergio Leone: The Good, the Bad and the Ugly (1967)
- #13: Sergio Leone: The Good, the Bad and the Ugly (1967)
- #14: ... pretty good;)
- #19: Your Questions?