Deploying Azure DevOps using Terraform
- 1. Deploying Azure DevOps using Terraform Lessons Learned
- 2. Agenda • Microsoft’s Investments in Terraform • AzureRM Terraform Provider Roadmap • Terraform vNext • Azure DevOps Components Breakdown • Resources
- 3. Microsoft’s investments in Terraform • Microsoft Team HashiCorp Team • Terraform AzureRM Provider updates • Latest release (August 5, 2020) enhancements/bug fixes releases/updates published in July alone! • Terraform Module Registry • https://registry.terraform.io/browse/modules?provider =azurerm
- 4. Roadmap https://github.com/terraform-providers/terraform-provider-azurerm
- 5. Terraform v0.13 highlights • Support for , , and • New syntax • Custom command connects a CLI user to the Terraform Cloud app terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "2.0.0" } } } variable "image_id" { type = string description = "The id of the machine image (AMI) to use for the server." validation { condition = length(var.image_id) > 4 && substr(var.image_id, 0, 4) == "ami-" error_message = "The image_id value must be a valid AMI id, starting with "ami-"." } }
- 6. Azure DevOps Component Breakdown • Project • Repository • Variable Groups • Pipelines • Service Endpoints • Boards • Environments • Releases • Test plans • Artifacts Can’t deploy (yet):Can deploy:
- 7. Environment Variables • $ENV:AZDO_PERSONAL_ACCESS_TOKEN = 'SomeBigLongGUID' • $ENV:AZDO_ORG_SERVICE_URL = 'https://dev.azure.com/AdinErmie' • $ENV:AZDO_GITHUB_SERVICE_CONNECTION_PAT = 'SomeOtherGUID' • ADO Personal Access Token • Used to allow you current execution credentials permission into you DevOps Org (via the API), to create a new ADO Project • Use personal access tokens • ADO Organization Service URL • Simply, the Org URL (because you’re making a new project inside an existing Org, not a new Org) • GitHub Service Connection Personal Access Token • Used for acceptance testing
- 10. Azure DevOps Variable Groups
- 12. Azure DevOps Service Endpoints
- 13. Azure DevOps Service Endpoints OAuth
- 14. Azure DevOps Service Endpoints Personal Access Token (PAT)
- 15. Azure DevOps Service Endpoints GitHub App
- 16. Let’s see it in action!
- 17. Lessons Learned • You need to pre-create storage account where you will store the TF State file for the creation of the ADO project • Unless you create it using Terraform, and then use terraform import to bring it under Terraform control/management • Importing a public OR private GitHub repo is not yet supported • Creating Service Endpoints is confusing • Unsure how to ‘authorize’ the Azure service connection with permissions on the Key Vault (for existing SPNs) • For demo simplicity, set the Key Vault default network access control to ‘allow’ • Not a best-practice, but unless you’re VPN’d into a VNET that has access to the KV, you won’t be able to see any keys/secrets • SPN password (if used to pass into the Terraform command-line via pipeline), does not like $p3c1@l (special) characters
- 18. Lessons Learned (continued) • If you define a new repo, and then attempt to define the pipeline via code, but the YAML file doesn’t already existing in the repo (because they’re not pushed to it), you’ll encounter the error “File FILENAME.yml not found in repository REPO NAME”
- 19. (more) Lessons Learned • Currently not supported to programmatically (through Terraform) grant the Pipeline access to the Service Connection • Issue #41 - Authorize service connection use by pipeline via Terraform
- 21. Bonus! TFLint • A part of the GitHub Super Linter • One linter to rule them all • Used to validate against issues • Focused on possible errors, , etc. • Support for all providers • Rules that warn against • AWS = 700+ rules • Azure = 279 rules (Experimental support) • GCP = WIP
- 22. Resources • Adin’s personal curated list of Terraform resources • Automating infrastructure deployments in the Cloud with Terraform and Azure Pipelines • Deploying Terraform Infrastructure using Azure DevOps Pipelines Step by Step Don’t forget about these Visual Studio Code (VS Code) extensions: Azure Terraform (by Microsoft) Terraform (by Mikael Olenfalk) Now owned by HashiCorp!
- 23. Certification resources • HashiCorp Terraform Certified Associate Preparation Guide (co-authored by Adin Ermie and Ned Bellavance) • Study Guide - Terraform Associate Certification (HashiCorp official) • Exam Review - Terraform Associate Certification (HashiCorp official) • Sample Questions - Terraform Associate Certification (HashiCorp official)
- 24. This is me Adin Ermie • Cloud Solution Architect – Azure Infrastructure @ Microsoft • Azure Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) • Cloud Management & Security • Azure Monitor, Azure Security Center (ASC) / Azure Sentinel • Cloud Governance • Azure Policy, Blueprints, Management Groups, and Azure Cost Management (ACM) • Business Continuity and Disaster Recovery (BCDR) • Azure Site Recovery (ASR) / Azure Migrate, and Azure Backup • Infrastructure-as-Code (IaC) • Azure Resource Manager (ARM), and Terraform • 5x MVP - Cloud and Datacenter Management (CDM) • 1x HCA – HashiCorp Ambassador [email protected] @AdinErmie https://AdinErmie.com linkedin.com/in/adinermie https://github.com/AErmie
Editor's Notes
- #10: NOTE: The public documentation incorrectly shows an example of Import, even though the feature is not actually available yet!