Microsoft Cloud Adoption Framework (http://aka.ms/caf) is the one Microsoft guidance to adopt Azure in entreprise. One of the fastest way to put the framework in action and deploy an environment fast and good, is to use CAF landing zones for
At Microsoft Ignite 2019, we announced that Cloud Adoption Framework for Azure now has a Terraform edition of it’s landing zones. We see landing zones as a great way to enable value quicker on Azure, and as we see tremendous excitment and growth in this area, we are evolving the experience to make it simpler and more powerful.
Adopting CAF landing zones with Terraform, customer consistenly realize they can:
deploy foundations of cloud environments fast
easily deploy governance and policies as code (with ongoing compliance enforcement and remediation)
have consistent ways to deploy innovation (infra as code, policies as code or application code are using the same mechanisms).
and many more.
This overall enables them to:optimize their operations, innovate faster and cheaper, but we will come back to that in another article.
For now, let’s get you started with landing zones development and deployment!
Setting up development environment
When deploying Infra-As-Code environments, we found it extremely important to have:
strong versioning (accross dev environment, DevOps pipelines, etc.).
short feedback loops: ability to innovate fast on your development, test new code without having to go through the whole pull-request and so mechanisms.
accomodate diversity of environments (running Windows, Mac, Linux).
strong identity consistency and no secret in any code.
In order to enable that, we use Docker containers as development (on your laptop) and deployment (CI/CD pipelines) environement. The toolset is packaged inside what we called the rover and in order to get started – whichever your platform is, just:
Once its done, make sure Docker is up and running, then Open Visual Studio Code:
We need to install “Remote Development” extension, so click the Extensions icon and then find and install “Remote Development” from Microsoft:
To make your life easier, we are going to leverage Visual Studio Development Containers, which allows you to seamlessly work on your machine and execute your code in the rover container.:
So on your machine, you will have your Terraform files, with your Git connection and other tools, but when you run the code, its seemlessly integrated with the Rover running in the container, so you can develop, test, run the complete environment.
If you look at the files, it’s classic Terraform scripts except for the .devcontainer folder where we have two files:
devcontainer.json: describes how to connect to the container, the mounting points and extensions.
docker-compose.yml: describes the container configuration needed, especially where to get the rover image (tip: we put it on the Docker registry so you dont have to manage it)
You can then go to the bottom left, green part of Visual Studio Code and select
Open Remote-Containers: Open Workspace in Container, then select the default workspace we created for you (workspace.code-workspace). You will see a new window opening and you can see the details of the Docker container operations:
downloading the container from registry
mounting the volumes
creating the network
installing VSCode drivers in the containers
You are now ready to start hacking, you can start by launching:
rover /tf/caf/landingzones/landingzone_caf_foundations plan
Azure Sentinel is Microsoft cloud-native SIEM and SOAR. Say goodbye to 6 months SIEM solution setup and architecture – get started with visibility on you environement just now, and use the rich ecosystem of connectors to extend intelligence to your complete security suite.
Azure DDoS Protection Standard is a service that enables AI-based protection of your cloud applications. Below is the list of resources of our webinar aired on 19th September 2019.
As a quick reminder, below is the set of network protections in front of your Azure instances. DDoS protection exists in a free tier which is present by default on all resources you publish using a public IP address. In this session we discuss about the addition of the “Standard” edition of the Azure DDos protection.
Cloud Adoption Framework for Azure has a great set of recommendations to accelerate deployment of Azure for entreprises who seek to consolidate their IT environment in the cloud and innovate on their applications.
CAF introduces landing zones as a concept that describes all the elements that must be in place to deploy a production-grade quality deployment (ie, that includes a minimal set of auditing, controls, policies, etc).
In order to accelerate that, let’s review how to deploy our first landing zone for Azure based on Terraform! We assume that you know Terraform and Azure already, if thats not the case, spend some time on my previous post.
Clone the GitHub repo from http://aka.ms/tf-landingzones git clone https://github.com/aztfmod/blueprints.git
Initialize the environment – this will create the fundamentals for the Terraform state, like Storage Account, Azure Key Vault, and the managed identities: ./launchpad.sh
Deploy your first tranquility blueprint: ./launchpad.sh landingzone_vdc_level1 plan
Review the configuration and if you are ok with it, deploy it by running: ./launchpad.sh landingzone_vdc_level1 apply
Below is a quick demo of doing that:
In order to ease your first contact with the landing zone, we created a sample configuration file proto.landing_zone_vdc_level1.auto.tfvars. As any .auto.tfvars file, it is going to be picked up automatically by Terraform when running. This file automatically configures all variables needed to get started:
Retention period for Activity logs, and operations logs.
Names of the resource groups to be created.
Location of the resources to be deployed.
Tags for the resources.
Name of log analytics and list of solutions to be deployed.
Security center contact details.
You can tune it to match your criteria, we hope the syntax is self explanatory, feel free to provide feedback on it!
Quick tour of the architecture:
Currently the solution is composed of 3 main components:
Is a shell script, it initiates the Terraform state locally, uploads it to the Azure storage account, manages the environment variables and communication accross landing zones and other components.
Creates a Key Vault, an Azure managed identity a storage account that is used to create store the Terraform state of our environment. It also creates a serie of service principals to be used to access the Terraform state and to integrate with Azure DevOps (in a future release). For full documentation, refer to the readme file.
This vdc level1 landing zones leverages one blueprint (called tranquility) that sets the foundation for everything accounting and operations logs in your Azure subscription:
Each of those features deployments are accomplished by a respective module, which is also on the GitHub, which Terraform download when it needs it (at the plan stage).
A diagram of landingzone_vdc_level1 would look something like that:
That’s it for now, it should be enough for you to get started on the Azure Landing Zones using Terraform. Keep in mind there is much more to come on the Landing Zones, we will keep on publishing more and we will have a couple of webinars to go deep dive on the subject!