Presentation ARM-Terraform DevOps Infrastructure as Code

• Discuss Background
• ARM Overview
• Template areas
• Authoring
• Portal (exporting)
• Advance features
• Terraform Overview
• ARM / Terraform Comparison
• Dev Ops ARM / Terraform
Agenda Overview
Estimated availability: CY17 Q1 (Public Preview)

ARM

• ARM template – A JSON template that deploys resources to a resource group using a declarative syntax through
a resource provider.
• ARM templates are Azure’s Infrastructure as Code (IaC)
• Allows for ”some” configuration. ARM templates are NOT configuration!
• You can call Virtual Machine extensions for configuring IaaS
• You can still use DSC, Puppet, Chef to perform configuration
• Packer can be used to create fully initialized images
• ARM templates are idempotent – you can run over and over. You should keep these in source control and be
part of your Dev Ops release pipelines. To rollback to a prior version, just deploy the prior ARM template
• Resource dependencies – creates the resources in the correct order
• Samples: https://aka.ms/armtemplates
• Building Blocks: https://github.com/mspnp/template-building-blocks
• ARM templates are not for “classic” Azure deployments
Azure Resource Manager Templates (ARM)

{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "",
"parameters": { },
"variables": { },
"functions": [ ],
"resources": [ ],
"outputs": { }
}
ARM – Sections of a template

• $schema – location of JSON schema
• contextVersion – The version of the template
• parameters – values for the template. Theses do not have to be provide, they can be provided via a external parameters.json
file or they can be provided command line. They can provide restrictions like allowed values, default valuts, min and max
lengths along with metadata for a description. Parameters can be objects.
• Command line (inline) parameters take precedence over the ones in the template file
• You cannot use command line and an external parameters JSON file at the same time
• Parameters can be string, secureString, int, boolean, object, secureObject, array
• variables – values that can be used in your template
• functions – there are built in functions and you create own (usually used to reduce complicated expressions)
• resources – the Azure resources to be deployed
• outputs – items that are returned from the deployment
ARM – Sections of a template

• Complete
• Resources are deployed and existing resources in the resource group that are not included in the template are
deleted.
• Incremental
• Resources are deployed without deleting existing resources that are not included in the template
• Verification (not “technically” a mode)
• Test your template and parameter values without actually deploying any resources
CHECK: On if this will show a delta plan.
• az group deployment validate
ARM Deployment Modes

• https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-linked-templates
• You can link your templates together instead of building one monolithic template
• Dependencies cross templates: "[reference('<name-of-deployment>').outputs.<property-name>.value]"
• Output variables can be used "dependsOn": [ "linkedTemplate" ]
ARM – Linked template
Storage
SQL Database
Databricks
Storage
SQL Database
Databricks
Main
Single Template Linked Template
"resources": [
{
"apiVersion": "2017-05-10",
"name": "linkedTemplate",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "incremental",
"templateLink": {
"uri":"https://.../myTemplate.json",
"contentVersion":"1.0.0.0"
},
"parametersLink": {
"uri":"https://.../myParameters.json",
"contentVersion":"1.0.0.0"
}
}
}
]

• Resource Group Automation: Reverse Engineering
• The export does not always export all resources:
ARM Azure Portal

• Portal – JSON templates (sharing)
• Azure Dev Ops
• REST API
• PowerShell
• Azure CLI
• .NET
• Java
• Ruby
• Node.js
• Etc.
ARM Deployment
az group deployment create
--name MyName
--resource-group MyResourceGroup
--location eastus
--template-file template.json
--parameters @parameters.json
New-AzureRmDeployment `
-Name MyName `
-ResourceGroupName MyResourceGroup `
-Location eastus `
-TemplateFile template.json `
-TemplateParameterFile parameters.json

• dependsOn - lets you control the order in which resources are created. This can also affect how much
parallelism you get from your template. You can have dependencies on multiple resources.
• Child resources – resources defined within a resource up to fix level deep. These are part of the same
“namespace” of the parent resource. You need to have a dependency between the two resources to control the
deployment order.
• Referencing – If a resource references (“reference function”) the name or output of another resource a
dependencies is created.
ARM Dependencies

• Conditionals – allow you to controls if a resource (level) is created during the deployment of the ARM template.
• Uses
• Skip creating a resource
• Create two of the same resource, but configure differently. For example if you have a private web app
you might want a certain setup versus a public web app.
• Some customers use conditions instead of nested ARM templates for conditions
ARM Conditions
condition": "[equals(parameters('MyParameter'),'OptionA')]"

• ARM Functions (built in):
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions
• Custom Functions:
ARM Functions
"functions": [
{
"namespace": "myMainTemplateNamespace",
"members": {
"generateUniqueName": {
"parameters": [
{
"name": "myName",
"type": "string"
}
],
"output": {
"type": "string",
"value": "[concat(toLower(parameters('myName’)),
uniqueString(resourceGroup().id))]"
}
}
}
}
]

• Send output out of the ARM deployment process
• You can view these values in the portal
• You can view with CLI / PowerShell
ARM Outputs
"outputs": {
"AzureWebAppHost": {
"type": "string",
"value": "[reference(variables('webSiteName')).defaultHostName]"
}
}
az group deployment show
--resource-group MyResourceGroup
--name MyDeploymentName
--query properties.outputs.resourceID.value

• You can deployment templates with key vault (only as parameters)
• https://www.linkedin.com/pulse/accessing-key-vault-secrets-from-arm-templates-paul-towler/
ARM KeyVault Integration
"MY-ARM-PARAMETER-NAME": {
"reference": {
"keyVault": {
"id": "/subscriptions/<<SUBSCRIPTION-ID>>/resourceGroups/<<RESOURCE-GROUP>>/
providers/Microsoft.KeyVault/vaults/<<KEY-VAULT>>"
},
"secretName": "MY-SECRET-NAME-IN-KEY-VAULT"
}
}

• ARM can create multiple instances of resources in a loop
• Parameters can be JSON: https://docs.microsoft.com/en-us/azure/architecture/building-blocks/extending-
templates/objects-as-parameters
• Reference for each ARM resource: https://docs.microsoft.com/en-us/azure/templates/
ARM Copy Command / Complex Types

• VS Code
• Install: https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools
• Copy this: https://raw.githubusercontent.com/Azure/azure-xplat-arm-tooling/master/VSCode/armsnippets.json
• Paste into File -> Preferences -> User Snippets -> JSON
• Type arm- “ctrl+space”
• Visual Studio
• Buid your template through wizards
• Tip: Start at a low level and work your way up to larger objects (e.g. build VNETs and Storage first)
ARM Editors

• ARM templates can get really big and really confusing, you should break apart into separate linked templates
• ARM template do have a comment field (that helps for documenting)
• Deploy an empty ARM template to “delete” all resources. This will clear out a resource group which is important
when you want to save your RBAC permission on the resource group.
• You can reference an HTTPS address. Customers will place their templates in blob storage, create a SAS token
and then call (if they are not doing Dev Ops).
• Errors are not always obvious (template could fail due to quota).
• “Borrow” as much as you can from other templates online.
• Keep any SAS tokens with a short expiration (you can see the ARM URLs in the portal)
• ARM templates are used for Azure Blueprints:
https://docs.microsoft.com/en-us/azure/governance/blueprints/overview
• You can deploy to multiple resource groups and subscriptions:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-cross-resource-group-depl
oyment
• Not every region contains every Azure service
• Check the Activity Log for errors
• Use the –rollback-on-error flag to rollback
ARM Tips / Tricks / Problems

Terraform

• Terraform is an orchestration tool for provisioning cloud resources
• Terraform is multi-cloud (Azure, AWS, on-prem)
• Terraform uses state files
• Terraform is NOT configuration!
• You can call Virtual Machine extensions for configuring IaaS
• You can still use DSC, Puppet, Chef to perform configuration
• Packer can be used to create fully initialized images
• Terraform uses HashiCorp Configuration Language (HCL)
• Terraform recovers from transient errors
• Terraform has many providers: https://www.terraform.io/docs/providers/index.html
• Samples: https://github.com/terraform-providers/terraform-provider-azurerm/tree/master/examples
• Azure Resources supported: https://www.terraform.io/docs/providers/azurerm/
• Azure / Terraform Q&A: https://open.microsoft.com/2018/01/04/top-questions-about-terraform-and-azure/
Terraform

• terraform init – initialize state
• terraform validate – validate your templates
• terraform plan – plan your deployment, see what will occur
• terraform apply – execute the deployment
• terraform destroy – delete your deployment
Terraform Commands

Terraform Structure of file
terraform {
backend "azurerm" {
storage_account_name = "samplebase”
container_name = "<Name_of_the_storage_container>"
key = "remotestatetest.tf"
container_name = "terraform"
access_key = "<<REMOVED>>"
}
}
provider "azurerm" {
subscription_id = "<<REMOVED>>"
client_id = "<<REMOVED>>"
client_secret = "<<REMOVED>>"
tenant_id = "<<REMOVED>>"
}
resource "azurerm_resource_group" "default" {
name = "${var.resource_group_name}"
location = "${var.location}"
}
resource "azurerm_app_service_plan" "default" {
name = "${var.app_service_plan_name}"
location = "${azurerm_resource_group.default.location}"
resource_group_name = "${azurerm_resource_group.default.name}"
sku {
tier = "${var.app_service_plan_sku_tier}"
size = "${var.app_service_plan_sku_size}"
}
}
Resources are anything that can
be managed. Terraform
also
provide a “name” for each
resource (this is for Terraform
only).
Interpolations are ways to
reference attribute of other
resources.

• Variables can be used throughout the main template
• Variables can be set in files (tf) file
• Variables can be set in a (tfvar) file
• Variables can be set via command line
• String variables can be read from environment variables
• Terraform can also prompt you for variables
Terraform Variables
variable "resource_group_name" {
type = "string"
description = "Name of the azure resource group."
default = "AppResourceGroup"
}
resource_group_name=TestRG
terraform apply –var "resource_group_name=TestRG"
"TF_VAR_resource_group_name"

• Terraform loads all the ”.tf” files in the current directory
• Terraform loads the terraform.tfvars file and/or *.auto.tfvars files in the current directory
• NOTE: Do not use both a .tf and .tfvars in the same directory. Terraform will get confused.
• Variables have precedence
• Command line
• From files (order of files matters)
• Environment Variables
• UI Input
Terraform Combining Templates / Variables

• Outputs can be specified
• Outputs can be queried after a run using the terraform output <<output name>>
Terraform Outputs
output "app_service_default_hostname" {
value = "https://${azurerm_app_service.default.default_site_hostname}"
}
./terraform output app_service_default_hostname

• You must initialize the Terraform State
• This can be done for ”all” of your infrastructure (rollbacks can be big / scary). You can also have state per resource
group / application. Workspaces should be used to help separate application and environment boundaries.
• Remote state should use Azure Blob Storage. Keeping state on a local machine is a big concern. The Pro / Premium
Enterprise editions of Terraform provide a state server as well.
• You can have people competing over getting a lock to the state file
• NOTE: Secrets can be written to your state file
Terraform State
./terraform init

• Terraform plan will show you what Terraform will perform
• Plans use
• + resource will be created
• - resource will be destroyed
• ~ resource will be updated in place
• -/+ resource will be destroyed and re-created
• Terraform apply runs the deployment
• If you generate a plan and the state changed, you need a new plan. You need to do some extra steps to run this plan
on a different machine.
Terraform Plan / Apply
./terraform plan
./terraform plan –out myplan
./terraform apply -input myplan
./terraform apply

• You can import existing resources
• You currently need to import each resource one by one
• You must start with an empty template
• You import each resource one by one
• You have to update your TF file by hand (?)
Terraform Import
./terraform import

• Terraform can do Loops (like ARM count) to create many of the same resources
• Terraform can do basic if..then tests.
• Terraform can do For loops
• Built in Functions: https://www.terraform.io/docs/configuration/interpolation.html
Terraform Loops / If statements / For
"${var.env == "production" ? var.prod_subnet : var.dev_subnet}"

• Modules – create reusable group of resources
• Workspaces – switch between multiple instances of a single configuration (almost like branches of code?).
• KeyVault – use secrets from Azure Key Vault: https://www.terraform.io/docs/providers/azurerm/r/key_vault.html
• Run ARM templates:
https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/examples/encrypt-running-linux-vm
/main.tf
• Run VM Extensions (commandToExecute):
https://github.com/terraform-providers/terraform-provider-azurerm/blob/f1403facda37e529208d284f874a25bbbac0b
14a/examples/vm-custom-image-new-storage-account/main.tf
Terraform Other Features

• Terraform is getting more and more support
• Terraform is installed in Azure Cloud Shell by default
• Corey Sanders (Partnership): https://azure.microsoft.com/en-us/blog/investing-deeply-in-terraform-on-azure/
• ARM Templates can use Terraform providers for (Kubernetes, Cloudflare and Datadog)
https://azure.microsoft.com/en-us/blog/introducing-the-azure-terraform-resource-provider/
Terraform / Microsoft

Dev Ops

Bringing native Azure support to
customers using Terraform
• Documentation Hub for Terraform
• Terraform in Azure Cloud Shell
• Azure Resource Provider
• Azure Module Registry
https://registry.terraform.io/module
s/azure
• Azure Cloud Shell Integration
• https://docs.microsoft.com/en-us/az
ure/terraform/
DevOps Integrations - Terraform

• CI / CD Pipeline with ARM
• Different Environments
• Override Variables
• CI / CD Pipeline with Terraform
• Overriding Variables
• State in blob storage (init)
Azure Dev Ops Demo

Comparison

Feature Comparison
Feature ARM Terraform
Infrastructure as Code (IaC) Yes Yes
Readability JSON HashiCorp Config Language (HCL)
Execution plans No Yes
Dependencies Yes (Explicit) Yes (Implied)
Multi-Cloud No Yes
Configuration Limited Limited (can do some storage tasks)
Rollback State Yes – deploy prior template / rollback Yes – maintains state
Azure Preview features Yes Yes – inline ARM snippets
KeyVault support Yes Yes
Corrupted State State not needed Can be an issue
Supports Dev Ops Yes Yes
Cost / Support Free, uses Azure support Free / Paid (purchase support)
Parallel deployments Yes Yes

Feature Comparison
Feature ARM Terraform
Runs “Locally” ARM template is uploaded / deployed
in Azure
Terraform uses REST calls via a client
machine
Delete resource in portal and not worry
about state
Yes No
Support Comments Via an Attribute Yes including block comments
Speed Can take a while Can be fast since it can deploy just a
single item based upon its plan
Math Functions Yes Yes
Count / Loops Yes Yes
Sub-Templates/Modules Yes – Linked Templates Yes – Modules
Deploy to multiple resource groups Requires many template Can be done in one template
Reference existing resources Variable w/resource id path “data” resource type
Reverse Engineer resources Export and Visual Studio Object by Object by importing

Feature Comparison
• Do you need state or want to manage this?
• Do you need workspaces / enterprise deployment or just put your templates in source control with each application?

Presentation ARM-Terraform DevOps Infrastructure as Code

More Related Content

Similar to Presentation ARM-Terraform DevOps Infrastructure as Code (20)

Recently uploaded (20)

Presentation ARM-Terraform DevOps Infrastructure as Code

Editor's Notes