Migrating Azure CAF landing zones to Terraform 0.13

More than a year ago we announced at Ignite 2019 that Cloud Adoption Framework proposes an implementation on Terraform. Since then, we have seen a tremendous feedbacks from customers and partners architects.

In the meantime lot of great things have happened: an enterprise-scale reference architecture and it’s ARM-based implementation, alongside with an incredible acceleration on the release rhythm of the Azure Terraform provider reducing the delay between features appearing in Azure and time it is available in native Terraform.

Terraform 0.13

Terraform 0.13 has been released mid August, and you can read the full details here. For us, the major improvements are:

  • Registry-based provider sourcing: No more need to side-load our custom provider, you can leverage it directly from the Terraform registry just like we for modules: our CAF provider is published here
  • Variables validation: Only allow variable to be within a certain range or validating a regex.
  • Iterations and conditions on modules: more later in this article.

Testing Terraform 0.13 with rover

After weeks of testing reliability of Terraform 0.13 during this summer’s beta, we were very happy with the stability and performance so we decided to push further our way of operating.

rover is part of the DevOps toolset we provide you with and recommend using for development teams and pipelines deployment. During this testing stage, it played full role allowing us to switch fast from one codebase to the other and also to one version of Terraform to the other.

What’s new in CAF landing zones

Leveraging Terraform 0.13, we were able to introduce new concepts in landing zones on Azure:

One module to rule them all

We have been curating 20+ modules during the last year, all published on the Terraform registry and some of them being consumed more than 26,000 times.Screenshot 2020-10-06 at 11.12.02 AM

While it was important to have different modules to maintain a very fine-grained versioning of the components we use, we found it to be a lot of work, for little added value.

We then decided to explore a model where we use only one module, that would call and iterate on different submodules – that permitted by Terraform 0.13.

We must admit we have been impressed by the results on how the graph performs, and the speed at which it works.

So the new module is still in preview but already available available here https://registry.terraform.io/modules/aztfmod/caf/azurerm/latest

Iteration-based objects deployment

To deploy core features, landing zones are now calling one module. This master module has all the major components we need to deploy within landing zones, and it iterates on every objects in the following way:

Screenshot 2020-10-06 at 11.05.16 AM

So from the configuration prospective, you define your network configuration with a complex object like this one:

Screenshot 2020-10-06 at 11.08.44 AM

So wether you need one or ten virtual networks, we iterate automatically for you.
By default the vnets like all the other variables are set to {}. So it means nothing will be created, only the variables you populate will be iterated on.

Key-based configuration and customization

All configuration objects will call each other based on the object keys. As we just seen, we use complex objects that are iterated and referenced via their keys.

It means for instance we create all the resource groups using the following object:

Screenshot 2020-10-06 at 11.14.03 AM

In that example, we create two resource groups which keys are vnet_region1 and vnet_region2. We we create the virtual network called hub (and which key is hub_sg we reference the resource group via the resource_group_key property.

Under the hood, the module is mapping back the resource group to the key with the following logic:
referencetokey

No-code environment composition

Overall this makes writing the modules code slightly more complicated, but what it means for users is the possibility to compose complex environment without changing anything in the code.

A good example for that is the networking landing zone where we are able to compose all kind of Azure network topologies (like Hub-and-Spokes virtual networks, Virtual WAN-based hub-and-spokes, etc.).

We can establish peering between on object in the current landing zone and a remote landing zones (this is very common to have separate states for the hub and the spokes)

Screenshot 2020-10-06 at 11.26.12 AM

Overall we have tested it internally and externally and have found:

  • We have been able to compose any kind of architecture using this pattern.
  • It is very fast to compose a new environment.
  • It is very fast to process by Terraform and Terraform graph.

DevOps from the ground-up

At the root of deployments, we have our launchpad which sets the Azure backend and collaboration requirements.
launchpad-200

We want to offer our customers choices and options so the new launchpad is modular: allowing add-ons to complement the configuration like:

For an example of landing zones on Azure DevOps, you can refer to the following demo:
For an example of landing zones on Terraform Cloud, you can refer to the following demo:

Coding everywhere

Using Visual Studio Codespaces or GitHub Codespaces, you can develop and deploy landing zones without installing anything on your laptop, with full access to the rover and development environment.
Screenshot 2020-10-02 at 5.02.46 PM

You can try it now: VScodespaces or on GitHub Codespaces

The journey ahead

Enterprise-scale landing zones

Enterprise-scale is a reference architecture, set of design guidelines, and reference implementation for an Azure enterprise environment.
You can find all the details here.ns-vwan.

We are working on it with the team and are integrating the module on the foundations layers. You can also try out the module here.

Delivering solutions

We found a lot of interest from customers and partners to leverage the DevOps and everything-as-code environment we setup in order to accelerate the development and the deployment of ready-to-use solutions.

We are currently working to publish solutions that you can stack-up on top of the lower levels of landing zones, amongst them, you will be able to find:
* AKS topologies including layer 4 applications
* Data and analytics, to deploy Azure Synapse, Databricks, Machine Learning, etc..
* More to come…

On the way to Terraform 0.14

Just announced, Terraform 0.14 will also bring some good features, you will be able to test it out soon in a new rover. You can read the news here

Contribute

All of that is still work in progress and you can contribute by opening an issue, a pull request or just testing it!

The repo is here: https://github.com/Azure/caf-terraform-landingzones and (most) of the things described are currently in the 0.4 branch, and will be available on this month release (2010 Update)

We’d love to hear from you, so don’t hesitate to give us feedback here or on Gitter

Arnaud

Understanding landing zones for Azure Cloud Adoption Framework – Terraform edition

Microsoft Cloud Adoption Framework (http://aka.ms/caf) is the one Microsoft guidance to adopt Azure in entreprise. One of the fastest way to put the framework in action and deploy an environment fast and good, is to use CAF landing zones for
Terraform.

CAF landing zones are an open source project living on GitHub and we welcome any contribution: https://aka.ms/tf-landingzones

In this article, you will find a set of videos and articles that should help you understanding the landing zones architectures and how to start crafting your own.

Cloud Adoption Framework: Introduction landing zones for Terraform


Cloud Adoption Framework: Deep-dive on landing zones for Terraform


First Deployment:


Setup Environment:

Cloud Adoption Framework landing zones with Terraform

Official Cloud Adoption Framework landing zones:

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/expanded-scope/terraform-landing-zone

If you are getting started with Terraform on Azure:

Operating governance on cloud native technologies:

Azure landing zones using Terraform: Getting started

This article describes the old experience for Azure CAF landing zones on Terraform, please refer to this article for the new updated experience:

https://www.arnaudlheureux.io/2019/11/15/cloud-adoption-framework-landing-zones-with-terraform/

 

Cloud Adoption Framework for Azure has a great set of recommendations to accelerate deployment of Azure for entreprises who seek to consolidate their IT environment in the cloud and innovate on their applications.

CAF introduces landing zones as a concept that describes all the elements that must be in place to deploy a production-grade quality deployment (ie, that includes a minimal set of auditing, controls, policies, etc).

In order to accelerate that, let’s review how to deploy our first landing zone for Azure based on Terraform! We assume that you know Terraform and Azure already, if thats not the case, spend some time on my previous post.

We have published and will keep on updating a repository on GitHub: http://aka.ms/tf-landingzones

Getting started

The fastest way is to use Azure Cloud Shell:

  1. Open https://shell.azure.com
  2. Go to the clouddrive directory: cd clouddrive
  3. Clone the GitHub repo from http://aka.ms/tf-landingzones git clone https://github.com/aztfmod/blueprints.git
  4. Initialize the environment – this will create the fundamentals for the Terraform state, like Storage Account, Azure Key Vault, and the managed identities: ./launchpad.sh
  5. Deploy your first tranquility blueprint: ./launchpad.sh landingzone_vdc_level1 plan
  6. Review the configuration and if you are ok with it, deploy it by running: ./launchpad.sh landingzone_vdc_level1 apply

Below is a quick demo of doing that:

Customization

In order to ease your first contact with the landing zone, we created a sample configuration file proto.landing_zone_vdc_level1.auto.tfvars. As any .auto.tfvars file, it is going to be picked up automatically by Terraform when running. This file automatically configures all variables needed to get started:

  • Retention period for Activity logs, and operations logs.
  • Names of the resource groups to be created.
  • Location of the resources to be deployed.
  • Tags for the resources.
  • Name of log analytics and list of solutions to be deployed.
  • Security center contact details.

You can tune it to match your criteria, we hope the syntax is self explanatory, feel free to provide feedback on it!

Screenshot 2019-09-17 at 3.09.49 PM

Quick tour of the architecture:

Currently the solution is composed of 3 main components:

1. Launchpad.sh

Is a shell script, it initiates the Terraform state locally, uploads it to the Azure storage account, manages the environment variables and communication accross landing zones and other components.

2. Level0_launchpad

Creates a Key Vault, an Azure managed identity a storage account that is used to create store the Terraform state of our environment. It also creates a serie of service principals to be used to access the Terraform state and to integrate with Azure DevOps (in a future release). For full documentation, refer to the readme file.

3. Landingzone_vdc_level1

This vdc level1 landing zones leverages one blueprint (called tranquility) that sets the foundation for everything accounting and operations logs in your Azure subscription:

  • Resource groups
  • Activity Logging
  • Diagnostics Logging
  • Log Analytics
  • Security Center

Each of those features deployments are accomplished by a respective module, which is also on the GitHub, which Terraform download when it needs it (at the plan stage).

A diagram of landingzone_vdc_level1 would look something like that:

Screenshot 2019-09-17 at 3.32.02 PM.png

For full documentation, refer to the readme file.

That’s it for now, it should be enough for you to get started on the Azure Landing Zones using Terraform. Keep in mind there is much more to come on the Landing Zones, we will keep on publishing more and we will have a couple of webinars to go deep dive on the subject!

Happy landing landing zones crafting!

Arnaud Lheureux

Introduction to Terraform on Azure

As much as we love ARM templates and Json syntax for deploying resources on Azure, Terraform is another great way to accelerate and standardize your deployments. In this post, are the materials we use for the online webinar, available on demand here: https://info.microsoft.com/AP-AzureINFRA-WBNR-FY20-08Aug-29-AzureAdoption-SRDEM4141_LP02OnDemandRegistration-ForminBody.html

Slides:

Reference Links:

Tips to get started with Visual Studio Code:

Install the Terraform extension, you may notice that the 0.12 type of syntax is not recognized by default as its still under development. You can enable preview version running Terraform: Enable/Disable Language Server in the palette.

Azure Cloud Adoption Framework in Terraform samples:

If you want to kick-start your Azure deployment based on Cloud Adoption Framework Landing Zones, here are some Terraform examples of it (more webinars on this coming soon): http://aka.ms/tf-landingzones

Have fun with this!

Demos

Demo 1: Getting started with your environment

Demo 2: First deployment

Demo 3: States and outputs

Demo 4: Modules

As usual, feel free to send your feedbacks.

Arnaud

Azure Governance in the real world

In this session, we review the fundamentals behind a well managed Azure environment: Azure Management Groups, Azure Policy and Blueprints.

Session

Slides

Download the slides here

Demo 1: Architecture Center, Service Trust Portal

 

Demo 2: Azure Management Groups & Azure Policy

 

Demo 3: Create custom policies with Terraform

 

Demo 4: Azure Blueprints

 

More

Follow the new sessions coming up on the Azure APAC webinar series: 

https://www.microsoft.com/en-sg/apac/azurewebinar 

As usual, feel free to reach out if you have any question!

Arnaud