When you read the term infrastructure, you may visualize hours spent in a fidget datacenter racking, stacking, cabling servers, and connecting network hardware. IT professionals recognize this work as part of their everyday job, some new to the datacenter, may not work in the cloud only and not in a professional on-premises datacenter. You learn to use tools to automate Microsoft Azure deployment of cloud services. The tools and processes to deploy software-defined datacenter components is commonly referred to as infrastructure as code (IaC).
In this chapter you learn how to use software to define data services and then create networks, servers, and applications. You learn how to use code to securely connect cloud services for user access. You learn to use enterprise ready tools to create a process for managing and provisioning cloud infrastructure as code using definition files.
Similar to an on-premises datacenter, new hardware with different motherboards and network interface cards and capabilities are brought online for new applications. Microsoft Azure development continues to enhance underlying hardware and refine hosting software so that you can redeploy IaC to support new services.
Overview of infrastructure as code
An IaC example
Azure Resource Manager (ARM) templates
HashiCorp Terraform on Azure
Deploying VNets with code (example)
Deploying VMs with code (example)
IaC enhancement considerations
Troubleshooting IaC
Overview of IaC in Microsoft Azure
There is a DevOps (development operations) relationship in deploying infrastructure as code to continuous integration and continuous delivery (CI/CD) . The same types of tools used in engineering development are used to deploy IaC in Microsoft Azure and any major cloud. To be clear, the audience for this topic includes cloud architects and cloud administrators, who have the deep subject matter expertise to deploy cloud services using the Azure portal. Providing a codified workflow to create, re-create, and redeploy software-defined networks (SDN) and cloud infrastructure is a game-changer.
IaC workflow or processes support changing and updating existing SDN infrastructure safely and with predictability. For the discussions in this chapter, and as a cloud administrator or cloud engineer, you are expected to have previous experience in deploying Azure services like VNets, VMs, and security best practices using the Azure portal. Like engineering developers, IaC engineers adopted Agile development methods. They created a standard corporate integration with application code workflows like Azure DevOps, Git, GitLab, and other CI/CD pipeline tools like Jenkins.
In a datacenter (virtual or physical), over time, there is the problem of changing from the initial deployment, which is sometimes called drift . When physical servers are deployed and operating systems installed, the environment changes as maintenance is applied to systems. Cloud operations are always tasked to maintain stable production services, so Azure services must be immutable, and the deployment using IaC tools must guarantee repeatability. The word immutable is used in our IaC conversations to support the foundation of repeatability, reduce drift, and enable automation; all three are needed to support predictable and healthy Azure services deployment.
Azure Resource Manager (ARM) templates
HashiCorp Terraform
Azure Resource Manager is a service that creates software-defined networks and provisions idempotent configurations in an Azure subscription. ARM templates are defined in a JavaScript Object Notation (JSON) format to define the infrastructure and configure the application project. The ARM template uses a declarative syntax to deploy network infrastructure, storage, and virtual machines to Azure. The declarative JSON templates call the Azure REST API.
Microsoft Azure Blueprints (and the rebranded next version)
ServiceNow Azure Cloud Management Blueprint
The developers, operations, and business are disconnected. In this chapter, we want to identify IaC tools, including CI/CD pipelines, to support a transformation and a library of offerings to grow the business in a secure process.
Infrastructure as Code Example
We use an IaC example to reveal the toolset options for both Azure built-in and external tools as you progress through the steps to create and (optionally) deploy into your Microsoft Azure subscription. The exercise teaches the specific workflow processes needed to deploy software-defined networks and virtual machines using both Microsoft ARM and HashiCorp Terraform.
The exercise compares Microsoft ARM and HashiCorp Terraform processes and specifically guides you in creating virtual network and server components. This exercise is simple and not designed to provide a deep dive into Azure services automation steps. The guidance for building skills that enable you to master becoming highly efficient with either method of IaC library construction and automated deployment would require a dedicated book on both ARM and Terraform.
If you are new to developing code to deploy Azure services, this exercise is for you and business decision-makers. If you are skilled in IaC deployment to Azure, then this exercise may appear simplistic. The software template services were selected because they are critical to software-defined constructs that support real-world deployments, such as virtual machines, which has the most complex set of parameters, including Azure availability sets, network interface cards (NIC), and hard disk drives.
This exercise is used to introduces you to Azure virtual networks. The steps include the creation of VNets, with steps to configure a Network Security Group (NSG). The NSG is a software firewall that allows or denies IP traffic flow.
You can use the example in Figure 11-1 to create a new library with this IaC deployment reference model or add to your existing template repository.
IaC template basics
IaC tool configuration
Resources, parameters, variables
All the code for the software-defined infrastructure—both Microsoft Azure ARM templates and HashiCorp Terraform—can be downloaded from https://github.com/harris-soh-copeland-puca.
ARM Templates
Infrastructure as code moved beyond PowerShell scripting with the introduction of Microsoft Azure Resource Manager (ARM) templates. ARM is an Azure management layer that enables resources in Azure to be created, updated, and deleted. Infrastructure as code resources in a template support software-defined networks, load balancers, virtual machines, and container runtimes like Kubernetes.
An often overlooked security feature is Azure role-based access control (RBAC), which is a direct feature of Azure resource management layer integration with Azure Active Directory (AAD) . ARM templates work to create the virtual foundation, and additional tools are used to configure the applications for consistency and compliance.
Tools like Ansible, Chef, and Puppet are excellent applications for management across environments; they often support the cloud operations team after the network, server, and security infrastructure are created. ARM templates use JSON files that define configurations in Microsoft Azure in a declarative manner. Using templates in a software-defined format of JSON files ensures that the deployment is consistent and predictable.
Resource provider and version
Resource location
Parameters and variables
The application programming interface (API) layer of the Azure provider includes the methods, servers, services, applications, and users that interact with the resource. As API features are updated, the changes are reflected in version numbers from the resource provider. Each Azure region has resources supported for deployment that are used when deploying IaC.
An single example of a reusable library template would be the design of an ARM template. The ARM template should include the number of resources required such as a VM. You can create another ARM template that expands features, as an example, support for high availability. Azure Resource Manager supports the Azure API to create, update, and delete cloud resources. ARM templates should include version control. The version of resources then become a known resource supported by the Help Desk. The versioning numbers also support DevOps that includes continuous integration and continuous deployment (CI/CD).
Numbers
Strings
Boolean
JSON arrays
JSON objects
Azure QuickStart templates are at https://azure.microsoft.com/en-us/resources/templates/.
Microsoft Visual Studio Code installation was covered in Chapter 8 when you were introduced to the tools and training necessary for an Azure cloud engineer. If needed, return to Chapter 8 to follow the installation instructions.
- 1.
From your IaC laptop, open Visual Studio Code.
- 2.
Select the Extensions option.
- 3.
Search for the Azure ARM extension. Note the one created by Microsoft, and not another developer or corporation. Select the Install option.
- 4.
Verify that the Terraform extension is installed by using the search bar. Type @installed.
- 5.
The extension should appear in the list of installed extensions.
As Microsoft upgrades extensions and providers, the version numbers continue to increase.
$schema
parameters
variables
resources
outputs
With the installation of the extensions, you have a deeper understanding of the engineering effort between HashiCorp and Microsoft Azure.
HashiCorp Terraform on Azure
HashiCorp Terraform is an excellent cloud-agnostic tool for creating, editing, and versioning infrastructure used by global 2000 companies, as well as mid-size and smaller companies, to deliver CI/CD for IaC. The providers are engineered in a co-engineering agreement with Microsoft Azure teams to ensure a first-class support workflow using TF to deploy IaC libraries.
TF uses configuration files to describe the component needed to run an application, groups of servers, or an entire datacenter. Terraform generates an execution plan that describes the desired state and then executes to create the infrastructure through providers. This configuration syntax is an English-readable language to create blueprints of your datacenter for versioning from development, test, and production environments. Terraform has a core function to graph all resources with dependencies to support changes, additions, and reconfigurations in the correct dependency order.
Terraform leverages a provider, which is code written to support authentication and authorization, is responsible for interactions through a cloud API. This chapter focuses on the Microsoft Azure cloud provider, which has been a collaboration effort, please review Figure 11-3; however, all major clouds, including AWS, GCP, OpenStack, and Alibaba cloud. Terraform providers are not only cloud companies but other platforms as well. To gain a better understanding of the library of providers they include, Azure Stack, VMware, Chef, Cisco, Kubernetes, including directory services like Okta, Azure Active Directory, and databases platforms like MongoDB, MySQL, and network providers like Akamai, Cisco, Cloudflare, Palo Alto and more. Terraform allows the use of community versions of providers and validated providers. HashiCorp validated provider undergoes reviews and is often co-engineered between the two company engineering team.
There is an updated list of HashiCorp Terraform providers at www.terraform.io/docs/providers/index.html.
You want to use HashiCorp Terraform and support the business using the IaC libraries through a standard framework and the Visual Studio Code integrated development environment (IDE). In Chapter 8, you learned the prerequisites and installation procedures for macOS, Linux, and Windows operating systems (OS).
Azure subscription
Terraform Installation and configuration
Visual Studio Code installation
Your IaC laptop must be configured properly to complete the exercises in this chapter if you deploy using HashiCorp Terraform or ARM. We realize your work may focus more on traditional operations, which requires more scripting with PowerShell or Azure CLI. Anyone who would like to become a subject matter expert (SME) will find that adopting developer tools and workflows are essential.
The HashiCorp Terraform community’s open source (OSS) edition is a free download (as a single executable) to install on your local machine, as described in Chapter 8. (Note that this is the same version that is currently configured as the default in the Azure Cloud Shell.)
To create an IaC laptop for this exercise, download and install Terraform locally. You should follow best practices and update the AzureRM provider to gain the latest functionality.
Validate the version of HashiCorp Terraform installed with the command extension: terraform –version.
- 1.
From your IaC laptop, open Visual Studio Code.
- 2.
Choose the Extensions option.
- 3.
Use the Azure Terraform extension. Note the one created by Microsoft and not another developer or corporation. Select the Install option.
- 4.
Verify that the Terraform extension is installed by using the search bar. Type @installed.
- 5.
The extension should appear in the list of installed extensions.
As a note, as Microsoft and HashiCorp upgrade extensions and providers, the version numbers continue to increase.
Once the Terraform template is created, it is deployed from the Visual Studio terminal. Working with HashiCorp Terraform from the view of a DevOps engineer, you gain insight into the code structure now that the extensions are installed in Visual Studio Code (VS Code). Like ARM templates, Terraform uses a configuration file, and it is in one of two formats: HashiCorp Configuration Language (HCL) or JSON.
The HCL format uses less bracketing and is an easy-to-read file structure (easy for humans to read) but a machine-formal file structure. HashiCorp Terraform supports JSON as an alternative configuration file; however, with Terraform version 0.12 and later, the JSON files have a 1:1 mapping to HCL. The HCL configuration language format can be reviewed at www.terraform.io/docs/configuration/syntax.html.
Terraform 2.0 is the current version that continues support for ARM.
Terraform configuration is the term used for configuring Azure resources like resource groups, VNets, and virtual machines. Terraform is a declarative model used for building code modules and IaC libraries. This means that you write the code to create the desired state, and then Terraform communicates through Azure provide to create and configure Azure resources in your subscription.
Configurations for IaC use file synchronization directories and can be divided into dev, test, uat, or prod, depending on the current testing version of the library module. Plugins and other files used by Terraform are saved in a hidden file folder titled .terraform. Other files that contain configuration files for Azure are identified as the working or home directory.
Terraform persists the multiple sessions of state for the configuration files as they change from the previous state to the current state of Azure resources. As Azure resources are created in a state file, terraform.tfstate is written to manage all the resources. This is how Terraform reapplies the desired configuration after services start to drift out of compliance. There are only a handful of commands needed to deploy infrastructure as code to Microsoft Azure.
azure terraform init
azure terraform plan
azure terraform apply
azure terraform destroy
main.tf
outputs.tf
variables.tf
You added the Terraform extensions to Visual Studio Code. You can optionally install NodeJS and GraphViz (not shown for exercises). These basic steps need to be added to a best practice installation guide to run HashiCorp Terraform on Microsoft Azure.
Deploy VNets with Code
This example begins with showing only a snippet of code for the creation of Azure virtual networks (VNets) showing two different configuration files. The ARM template for JSON is first, followed by the Azure TF HCL configuration file. The focus is to show the similarities between ARM templates deployed with VS Code PowerShell or CLI and HashiCorp Terraform HCL templates deployed from a VS Code terminal.
All the code for the software-defined infrastructure, both Microsoft Azure ARM templates and HashiCorp Terraform, can be downloaded from https://github.com/harris-soh-copeland-puca.
ARM JSON Configure the Entire VNet and Two Subnets
Terrform HCL Configure the Entire VNet and Two Subnets
Deploy VMs with Code
ARM JSON Configure the Ubnutu Server
Terrform HCL Configure the Ubnutu Server
These views of creating a template library for both ARM and Terraform are very basic but a necessary place to start. As your skill increases with the use of both deployment methods, additional features are needed in the real-world deployment of Microsoft Azure infrastructure as code.
IaC Enhancement Considerations
The examples can be deployed as provided in this chapter but, with the understanding that other Azure services may be required to deploy or to be modify, dependent on your Azure subscription.
Increase security by deploying Azure DDoS (distributed denial-of-services) protection
Create a subnet and enable an Azure bastion host service
Update the entire template to support high availability
Deploy to another cloud provider
We purposefully show only a snippet of code for both ARM templates in JSON and HashiCorp Terraform and not a complete deployment solution.
You always want to improve security, and reduce risk. You can improve the overall Defense In Depth of Microsoft Azure while deploying IaC templates. However, if you want to enable an Azure DDoS plan for a specific region, first validate the service is available in the region that is exposed to the public IP address.
You also need to choose between the Basic and Standard plans. Basic is a free service. Standard has a usage cost and provides log streaming for SIEM (Security Integration Event Management) integration, real-time attack alerts and diagnostic logs, post-attack mitigation reports, layer 3 to layer 7 mitigation, and more. It can be enabled with IaC techniques with ARM, Listing 11-5. The HashiCorp Terraform code snippet, Listing 11-6 enables the Azure DDoS plan on an entire resource group using the network resource to enable the Azure protection plan.
The JSON Format Needed to Add the DDoS service to Your ARM Template Code
Terraform Code Snippet
Learn more about Azure DDoS plans, features, and the types of attacks the service reduces at https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection-overview.
Bastion Host Using ARM Templates JSON Format
Host Using Terraform Template
ARM JSON Format
HashiCorp Terraform Format
An additional benefit, when you include Terraform to deploy infrastructure in Azure, is the same work flow when deploying to other cloud providers. You should include HashiCorp Terraform services for your next IaC platform for testing.
HashiCorp Terraform Cloud (free trial) is a service that does not run on-premises. If you need to have greater features not enabled in a cloud service, you should download HashiCorp Terraform Enterprise (free trial).
24/7 phone support for mission-critical IaC
Access control and security permissions with separation of roles
Centralized logging for audit and compliance on any cloud provider
Policy as code—HashiCorp Sentinel policy engine enforcement on any cloud provider
Overhaul of the virtual machine and virtual machine scale set resources
Introduction of custom timeouts
Removal of deprecated resources
Troubleshooting IaC
You had a brief introduction to both ARM and Terraform to create your Azure infrastructure, and errors are part of the templating processes. Some of the common errors can be removed from ARM templates if you pay close attention to the bracketing required by JSON files.
JSON documents start and end with curly brackets, { }, and have a name/value pair, decorated by double quotes (" "). Some of the common errors are identified in the Microsoft Azure guide at https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/common-deployment-errors.
HashiCorp Terraform has the best architecture practices identified, which includes guidance on troubleshooting (see www.terraform.io/docs/providers/oci/guides/troubleshooting.html).
Subject-matter experts (SME) specialize in the pattern of building, testing, destroying, and rebuilding. The creation of a reusable Azure template library is an ongoing process and not a job role that allows the tools to be used once and then stored away.
Azure Blueprints
Azure Blueprints enable engineers and developers to build solutions using proven, hardened, templated, architectures that comply with organizational, industry, regulatory, and government requirements and policy. Blueprints enable rapid deployment to a secure and certifiable state of a cloud-hosted service in your organization, regardless of who the consumers of that service are. Blueprints allow architects to define roles, policies, templates, and resource groups. Blueprints enable bringing these components to a common architect to build, test, and deploy, commonly known as CI/CD, which means continuous integration and continuous delivery. Blueprints are what they are called—blueprints from which Azure services can be built.
Azure Blueprints are based on Azure ARM templates. Azure templates are declarative files for creating Azure resources in a reliable, repeatable, and auditable manner. Azure ARM templates let you deploy IaC. They are text files in which you define which Azure resources you want to deploy and how they are configured. ARM templates are test files in the JSON format. These JSON files can be edited in any text editor, and hence, can be versioned. The declarative approaches to infrastructure as code, policy as code, configuration as code, and role-based access as code provide a simple authoring experience that is integrated with Azure policy remediations, GitHub tasks, and provisioning with a variety of third-party solutions such as Terraform, Ansible, SNOW, and so forth. To learn more about defining resources in Azure ARM templates, please refer to https://docs.microsoft.com/en-us/azure/templates/.
The use of the native ARM templates allows Azure administrators to deploy resources as soon as they are available in the Azure cloud. There are no delays in compatibility and capability when ARM templates are the deployment plane. These deployments can be tracked easily in the Azure portal, providing visibility into the success or failure of the deployment. ARM templates perform checks before deployment to validate that they will succeed. These checks are known as what-if checks, which allow administrators to simulate what a change will do when deployed. It is a valuable featuresince there is no way to test in an existing environment, This feature validates preflight.
Multiple ARM template deployments can run concurrently, which is unavailable when using middleware to run IaC deployments. ARM templates can deploy Azure Blueprints across the Azure infrastructure for your organization.
ARM templates can be centrally stored and shared across the Azure ARM control plane in Azure TemplateSpecs, which is very similar to the Azure Shared Image Gallery discussed in Chapter 10. This allows the sharing of Azure templates, customized for your specific organization across Azure regions, subscriptions, and tenants. Azure TemplateSpecs can be deployed with the Azure portal, PowerShell, or CLI, or as nested deployments. Azure template artifacts and template linking will be available soon.
If you would like a tutorial on how to deploy an ARM template, please refer to https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell. By leveraging Azure ARM templates and Azure Blueprints, you can deploy cloud-hosted services in your organization to satisfy all of your security, regulatory, and organization requirements.
Summary
In this chapter, you learned about Microsoft Azure Resource Manager, an API management layer to create, edit, and delete Azure services. You were introduced to the IaC processes needed to build template libraries for blueprints to deploy Azure services consistently. You were introduced to two prominent methods for creating templates: ARM templates and HashiCorp Terraform. There was an example deployment designed to create the basic building blocks and then enhance the design with additional features. You were introduced to Azure Blueprints and the context of having a set of Azure IaC plans that may be deployed and updated with version control to create a consistent deployment process.
In Chapter 12, you continue to expand your Azure learning journey with Web Apps, monitoring, and integrating with Azure authentication methods. You learn about implementing connectivity between Azure Active Directory and other business connectivity for secure sharing of data.