This content originally appeared on Level Up Coding - Medium and was authored by Changsin Lee
My quick impressions of doing IaC in Azure. What is Infrastructure as Code? What are the limitations and gotchas?
· IaC Overview
∘ What is IaC?
∘ Why is IaC needed?
∘ Two approaches to IaC
∘ Popular IaC tools
· IaC in Azure
∘ Azure management concepts
∘ ARM Templates
∘ ARM Teamplate Limitations
∘ 6. Azure resource visualizer sucks
· Final Words
· References
IaC Overview
Before discussing how IaC is done in Azure, let’s first have some background about IaC.
What is IaC?
Infrastructure as Code (IaC) is a process of managing computer infrastructure in files. There are two components to IaC. The first is provisioning resources through deployment. The second is managing the deployed resources as code. In both cases, describing infrastructure as code is the necessary precondition.
Why is IaC needed?
To see why IaC is necessary and beneficial, consider the default. For anyone who had to manage a moderate-sized server lab, you know how painful it is to track and provision physical devices with all the hardware in racks, wiring, networking, etc. Moving to the cloud has definitely made it easier to visualize with nice console UI but managing them is still quite challenging. Below is a screenshot of a typical console UI. With multiple layers of options and rules, it is easy to lose your way in the cloud (pun not intended).
Provisioning and managing the complex configurations of the infrastructure as files allow them to be version-controlled and code-reviewed. This will result in reducing the risk of human error, saving the cost for management, and increasing the speed of deployment and setup.
Two approaches to IaC
There are two approaches to doing IaC. In the imperative (or procedural) approach, you describe how the desired state can be achieved. To do so, you need to know the details of how things work: namely, the order, error checking conditions, etc. Typically, the procedures are specified in some kind of script language like Powershell CLR or Python.
The second approach is called ‘the declarative or functional’ approach because it simply describes what the desired state is without specifying how it can be achieved. Yaml or JSON files are often used for this purpose. An important thing to note is that the described state is ‘idempotent,’ meaning that executing the same script multiple times would not change the desired outcome.
Popular IaC tools
The most popular IaC tool is Terraform which uses Go as the scripting language. Ansible by RedHat used Python and is another popular tool.
On other hand, cloud providers like AWS, Azure, and GCP have their own IaC tools. AWS IaC solution is CloudFormation which uses YAML for the file format. Azure has ARM (Azure Resource Manager) templates that are written in JSON. On the other hand, Google CDM (Cloud Deployment Manager) templates are written in Python.
I personally have used AWS CloudFormation and ARM and their usage is very similar.
IaC in Azure
Having established some basic knowledge about IaC, we are ready to see IaC in action in ARM (Azure Resource Manager).
Azure management concepts
In Azure, resources are organized in hierarchies, starting from an account that grants you access to Azure services and subscriptions. Azure AD (Active Directory) is the system that manages the account’s access to Azure resources. A tenant is an instance of Azure AD and each tenant has a single, dedicated, and trusted directory that contains the tenant’s users, groups, and applications.
A directory is organized hierarchically further into management groups, subscriptions, resources groups, and resources.
ARM Templates
ARM (Azure Resource Manager) is the IaC service for Azure and ARM templates are JSON files that define and describe resources and configurations.
ARM templates work on resources and resource groups. For instance, you can choose to export one resource (e.g., a database resource) or the entire resource group that has a lot of resources. However, you cannot export beyond resource groups: e.g., across multiple subscriptions or directories.
For this reason, it is a good practice to put your resources into logically related resources: e.g., place all database-related resources into one resource group. Once related resources are organized into groups, it becomes really easy to deploy the entire resource group in one go, for instance.
The official documentation has extensive explanations and samples so I will skip the details. Instead, I will focus on some personal ‘gotchas’ that I encountered while using ARM templates.
ARM Teamplate Limitations
While ARM templates are great ways to manage and deploy resources with all the benefits of IaC, they have some limitations.
- Not all resources are exported.
The first snag that you might hit is that not all resources are exported. For instance, here are a few error messages I encountered when trying to export resources:
The errors of such kind are not uncommon but the vast majority of resources are exported so this should not be an excuse not to use ARM templates.
2. ARM templates are ‘best efforts’ only.
The declarative syntax of ARM templates means that you do not have to worry about the order of execution, how they can be created, etc. However, they are not 100% guaranteed to be correct or deployable. If there are dependencies for a resource and those dependencies do not exist, the dependent resource will not be created. For instance, if a virtual machine has a dependency on a disk drive that does not exist, the deployment will fail.
3. Fix circular dependencies.
One of the errors that you might encounter when trying to deploy a template is ‘circular dependencies.’ For instance, an availability set and a virtual machine might have each other as the dependency.
In such cases, the template will fail validation before deployment so you have to remove the circular dependency. In my case, I simply removed the VM from the availability set dependency to fix the problem.
4. Secrets are not exported.
By ‘secrets’, I mean private or secret resources that have to do with privacy or security: e.g., certificates, passwords, etc. When you export a database resource, for instance, the admin user name and the password will not be exported even if you set them through the UI. Obviously, these are not limitations, but security features to protect the resources.
To best protect your secrets, the best practice is to use the Key Vault service to keep your secrets and refer to the secrets in your template files. The following template snippet shows the reference to a KeyVault secret for the certificate through a user-assigned identity.
5. Static resources might not be static.
Static resources like IP addresses are deployed but their actual values might be different from what you assigned them to be depending on the current availability.
To avoid deployment and service problems, it is best to use parameters for static resources rather than hard-coding actual values.
6. Azure resource visualizer sucks
You can visualize ARM templates in Azure using the Resource visualizer. However, I have to warn you that the tool is very minimal in its functionality and you cannot interact with the elements except by zooming in and out.
Fortunately, VS Code comes with two great extensions for ARM templates. Azure Resource Manager Tools extension is a great helper for editing templates while ARM Template Viewer is a great interactive visualization tool. The same resource group plotted above is visualized in ARM Template Viewer like the following:
Final Words
Despite the aforementioned limitations and gotchas, ARM templates and IaC are still the best way to manage your resources and configurations. Like any tool or skill, there are technical trade-offs and you have to be aware of the gotchas and make an informed decision about what the best tools are for your specific needs. I hope my article has informed you about where to start your journey in IaC and ARM templates.
References
[1] Microsoft documentation: Azure Fundamental Concepts
[2] Microsoft documentation: Azure Resource Manager
[3] Good reference article comparing different IaC frameworks: https://spacelift.io/blog/infrastructure-as-code
Level Up Coding
Thanks for being a part of our community! More content in the Level Up Coding publication.
Follow: Twitter, LinkedIn, Newsletter
Level Up is transforming tech recruiting ➡️ Join our talent collective
Infrastructure as Code in Azure was originally published in Level Up Coding on Medium, where people are continuing the conversation by highlighting and responding to this story.
This content originally appeared on Level Up Coding - Medium and was authored by Changsin Lee
Changsin Lee | Sciencx (2022-06-30T11:20:53+00:00) Infrastructure as Code in Azure. Retrieved from https://www.scien.cx/2022/06/30/infrastructure-as-code-in-azure/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.