SlideShare a Scribd company logo

Terraform for azure: the good, the bad and the ugly -

Download as PPTX, PDF
Giulio Vian
Giulio Vian

Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. The presenter discusses the good, bad, and ugly aspects of using Terraform with Azure. The good includes its simple configuration language and ability to integrate with Azure and automate deployments. The bad includes limitations in its language and some errors being difficult to debug. The ugly involves challenges around managing state files and keeping infrastructure definitions well organized. Overall, Terraform provides benefits but also requires understanding its quirks and handling state carefully.

1 of 37
Terraform for Azure: the good, the bad and the ugly Giulio Vian – DevOps Lead – Glass, Lewis & Co.
Agenda Slides on SlideShare
What is Terraform? Provisioning •Terraform •Azure ARM Template •Azure CLI •Azure Powershell Configuration •Powershell DSC •Chef •Ansible •Packer Deployment •Azure DevOps •Octopus Deploy
What is Terraform? Provisioning •Terraform •Azure ARM Template •Azure CLI •Azure Powershell Configuration •Powershell DSC •Chef •Ansible •Packer Deployment •Azure DevOps •Octopus Deploy
No, what is Terraform? Single executable (kinda) https://www.terraform.io/
The Good,
Terraform DSL resource "azurerm_virtual_machine" "vm_demo" { name = "demovm" location = “northeurope" resource_group_name = "tf-demo" network_interface_ids = ["${azurerm_network_interface.vm_demo.id}"] vm_size = "Standard_B2s" storage_image_reference { publisher = "MicrosoftWindowsServer" offer = "WindowsServerSemiAnnual" sku = "Datacenter-Core-1803-smalldisk" version = "latest" } storage_os_disk { name = "demovm-osdisk" caching = "ReadWrite" create_option = "FromImage" } storage_data_disk { name = "demovm-datadisk" create_option = "Empty" lun = 0 disk_size_gb = "10" } os_profile { computer_name = "DEMOVM" admin_username = "${var.vm_admin_username}" admin_password = "${var.vm_admin_password}" } os_profile_windows_config { provision_vm_agent = true enable_automatic_upgrades = false } }
Why Terraform? ARM Template
Why Terraform? Powershell
How it works Command line tool terraform init terraform plan -out temp.dat terraform apply temp.dat Providers Executables azurerm, azuread, azurestack State (metadata)
Terraform basics
Terraform 0.12 Great promises in a not-so-near future
Tip: Passing credentials resource "azurerm_virtual_machine_extension" "my_vm_dscext" { #... protected_settings = <<PROTECTED_SETTINGS { "configurationArguments": { "someCredential": { "userName": "theUser", "password": "${var.the_user_pass}" } } } PROTECTED_SETTINGS }
Tip: assigning IPs Static addresses cidrsubnet cidrhost
Tip: pulling KeyVault Pre-load KeyVault with secrets data "azurerm_key_vault_secret" "test" { name = "mypassword" vault_uri = "https://yourvault.vault.azure.net/" }
Integration azurerm_virtual_machine_extension Powershell DSC Custom script → bash / Ansible Providers Chef, Docker, Kubernetes Provisioners ssh / WinRM
Automate Permit HTTPS to Internet* Credential (e.g. Service Principal) Get executable on the agent* Run apply There are ready-to use tasks *optional
Scale We have 6 environments with 150+ resources each
Goodies Summary Simple Modular Integrates well with Azure Easy to automate
the Bad,
Language Limits (HCL <0.12) Loops are hard Nested loop almost impossible Ifs are hard or impossible
Catching up Application Gateway story
Simple errors Error: Error applying plan: azurerm_lb_probe.lb_probe_http: Error Creating/Updating LoadBalancer network.LoadBalancersClient#CreateOrUpdate : Failure sending request: StatusCode=0 -- Original Error: Put https://management.azure.com/subscriptions /12345678-9abc-def0-1234- 56789abcdef0/resourceGroups/qa/providers/M icrosoft.Network/loadBalancers/qa- loadbalancer?api-version=2017-09-01: http: ContentLength=1655 with Body length 0
Downside Summary Limited expressive power (<0.12) Debugging can be difficult
and the Ugly
State management Myth: State is map of reality Setup in shared, locked place Azure Storage or AWS S3 Some changes not sensed Learn to use terraform state
Stay organized / repo root modules terraform modules utility general purpose shared common to multiple applications or environments application_name internal or public application non-production can be rebuilt any moment shared common to multiple environments e.g. deploy agents, jumpbox qa Integration test uat User acceptance test perf Load testing production everything here is critical ... details on next slide
Stay organized (cont’d) / repo root production everything here is critical legacy hand made infrastructure e.g. TFS shared common to main and DR e.g. networking live PRODUCTION ENVIRONMENTS network “everlasting” resources data-tier long-lived resources app-tier short-lived resources app_name resources for an app dr Disaster recovery site ... As above
Folders and state Each leaf has a state file Source can refer to existing state files production shared production/shared/terraform.tfstate live network production/live/network/terraform.tfstate app-tier production/live/app-tier/terraform.tfstate
Three steps to import Define as regular resources Add safety clause lifecycle { prevent_destroy = true } Include in state terraform import
Tip: Terraform tips HCL parser idiosyncrasies Regex might be troublesome is not unusual
Unpleasant Summary Low level commands & attributes for state Refactoring impacts state
Wrap-up 33
Succeeded?
Study the book Terraform - Up and Running: Writing Infrastructure as Code — Y.Brikman (O′Reilly)
Bio in pictures 36 giulio.dev@casavian.eu @giulio_vian https://www.slideshare.net/giuliov https://tfsaggregator.github.io http://blog.casavian.eu/ Hardware spec: 1KB RAM (upg. 16KB) 4KB ROM First computer Companies Communities
End of trasmissions 37

More Related Content

Terraform for azure: the good, the bad and the ugly -

Editor's Notes

  1. No, state is metadata e.g. Terraform dependencies Read the book Similar “aha” moment with Ansible
  2. Read the book Similar “aha” moment with Ansible
  3. No, state is metadata e.g. Terraform dependencies Read the book Similar “aha” moment with Ansible