An Introduction to Azure Verified Modules

hey everybody and welcome to today's video on Azure verified modules or AVM for short um I'm Jack Tracy uh you may have seen me around on things like Azure Landing zones and subscription vending mainly on the bicep side of the house and I'm joined today by my colleague Matt uh Matt do you want to give us an intro thanks Jack yeah my name is Matt white Matt FFF FFF on GitHub I also uh get involved with Azure Landing zones and I own the terraform modules for that and also subscription vending so yeah excited to talk to you about amm today

so avm's our latest uh project that myself and Matt have been working on for like the last six to nine months and it's all around bringing together a shared uh infrastructure as code module strategy and single source of Truth across Microsoft for today bicep and terraform but who knows what what we be in the future and we'll get into that throughout today's session so let's start on why why are we solving this problem right and we see a lot of our customers you know when they start out on their Cloud Journeys starting with deploying resources through the portal operating and

managing them through the portal and something we we deem click Ops as a as a cliche term um customers then go through that natural progression of going hey we should start doing things like infrastructure as code using some bicep using some terraform uh maybe some arm templates and we should start doing this via pipelines you know GitHub actions aure Devas pipelines those sort of things um and that's great all these teams run off and do these separate things across an organization and then you realize that you you know you step back and you go Hanah we've got five different ways of deploying a v-net 10

different ways of deploying a VM and 15 different ways of deploying a storage account we should probably get together and centralize this and make some efficiencies and you know don't repeat ourselves everywhere right and reduce the amount of code we've got to maintain um so you then go on that journey of trying to De couple and stop repeating code and rationalize everything um and somebody goes hey we should probably look externally here because I'm pretty sure somebody else has solded this before or Microsoft might have something for us that can help us on Along on this journey and that's a great you know place to be you then go out there and

find in the wild that there's many infrastructure as code repos out there with their own standards they all have different specifications different principles different goals and different support statements um and you're left as a customer to make a decision on which one works best for your organization uh and effectively you have to pick one at random or with some uh the most educated guest you can make at that time based on the requirements you have um if you happen to pick a Microsoft one at this this stage so something in a a GitHub uh

or it's under Azure or under Microsoft you may then start using that and be happy and you know getting support and all of those things but over time over the course of years you may then actually discover that you know it's not being maintained as much as it was before and it might have become stale and that may actually be because it was never officially supported by Microsoft it was just a community project and an open source inspired project from Microsoft that started and just happened to be from an FTE that had access to put it in those organizations um and that can reflect badly on Microsoft which all

obviously all of us want to avoid and we want our customers to have the best experience uh so the challenge uh that I've just outlaid was given to myself and Matt at the start of our financial year and the solution that we've come up with and we're here talking about today is azure verified modules I'm gonna hand over to Matt now to talk to you a little bit more about what that actually is thank you Jack so ultimately Azure verified modules is is been created to address the problems that Jack so

eloquently described the first is that these are supported these have an owner in Microsoft and FTE and there is a process um to transfer ownership whereas as as people change roles you can raise a support ticket on these modules and it will get uh directed to the module uh maintainers we have also spent a lot of time aligning aure verified modules across Microsoft actually Azure verified modules is the amount alation of two

previous projects one is terraform verified modules run by the terraform PG and the other one is carore which was a a bicep project run by um some people in the ISD team in Microsoft and what we've done is we've brought these two programs together to create a unified strategy for IAC at Microsoft um which brings together really The Best of Both Worlds we are aligned with the well architected framework and uh which is essentially secure and available by default and I'll talk a little bit about

that in in a minute and ultimately it's designed to accelerate deployment stre familiarity so you're not having to start from scratch every time so what do we mean by secure and available by default well well architected availability um says that you should deploy in two zones so that's what we do by default the default value for if a resource supports it will be to deploy in a Zone available configuration secure by default things like disabling Public Access there a keyb mod mod for example when you deploy it you will not

be able to access it publicly now of course you can if you want to but you have to explicitly set that configuration it's not the default let's dive into a little bit about the types of modules that we have the first is a resource module now that deploys a resource in a meaningful way and what we mean by that is you don't have to necessarily worry too much about the way the arm resource model is constructed if you want a VM you get a working VM in that it has a disk and a network adap

the necessary resources to make it work however we draw the line at creating subnets because the subnet is a part of the virtual network module so by using the virtual network module and the virtual machine module together you get a working uh solution we've also made the decision to allow resource modules or to insist resource modules uh also deploy child resources but the virtual Network also module deploys subnets and the key VA module deploys keys and secrets

in that way we feel it's a more complete experience without having to micromanage multiple individual types of modules or pattern modules which is the other type that we have their goal is to deploy a collection of resources uh in a meaningful way to achieve a goal so following on from the resource module examples if you think about an application tier we might be looking at a load balancer uh virtual machine scale set network security groups and optionally maybe a public IP address and what you're able to do with that pattern

is maybe Stitch multiple ones of those together plus maybe a database resource module like an Azure SQL resource module and that then provides you with a solution to deploy an end tier application so to kind of summarize the value proposition is familiarity to developers familiarity to platform Engineers it should be easy to get started one of the ways we do this is have having standard interfaces for common Azure resources um or extension resources is like things you want to do

with your storage account might be you want to give it a private endpoint you might want to uh Grant role based access control on it especially data plane access um for other resources that support it you might want to uh give those resources a managed Identity or a customer managed key what we've done is standardized the interfaces for all of that so module authors must provide the same set of inputs in order to enable those features for their modules that actually hides some of the differences that we have in our apis behind the

scenes especially customer managed Keys lots of resources Implement that in a different way but you don't have to know that what you as a consumer of the B will have to do is learn the interface that we've created and we handle that complexity thank you Matt for uh giving us that really detailed insight into what AVM actually is I think if you're now a customer and a consumer going hey this sounds great like what do I do with this like where does this fit in my journey um we've got this slide to hopefully help uh answer that question for you um this is from our subscription vending documentation that myself and

Matt put together uh last year um and as you may have uh worked at yourselves um this is more targeted at the application teams or the developer teams when you're getting into that adopt phase of the cloud adoption framework like when you're ready to deploy uh your resources and build your you know your service or your application what you're deploying into your application Landing Zone this is where these modules really help your application teams do that um but we are noticing that some teams are using these

or or want to use these to build their platform elements as well um and that's something that we're actually doing aside of the aure landing zones ter for module v- next that if you've been following that story uh and we're very close to getting something out you'll notice that actually those uh modules for things like the Hub networking virtual W management those sort of uh group of resources that are technically platform Landing zones you know the things underneath the platform management groups um they are all patent modules inside of AVM that is their

direction we have moved them into this project because this is the future that we believe that Central Library of assets of resource modules all those atomic units that we can stitch together and then give everybody that value of all of those common interfaces and all of the greatness that mats just spoken around so it can fit in both but ideally it's for your application teams to not have to start from scratch every time so they can take these modules and really build an accelerate pace so Matt how do our customers find out more about this stuff

thanks for asking Jack we have a website so aka.ms AVM is the link the first thing I'd like to point out on here is the support statement so we've also got a short link for that ak. mavm support so where you can see uh our commitment to you and our commitment to keeping these modules maintained and um up to date if you're into the weeds if you're into the detail of this we also publish all of our specific a so we've got

functional non functionals for the general Azure verified modules uh We've also got them as they pertain to Resource and pattern modules as well as um language specific specifications because even though we want to unify things as much as possible we should also make the best use of each language as we can and there are certain characteristics and ways of doing things in one language that might not be sensible in another so we try and keep things familiar so if you're familiar with bicep it will feel like a bicep module if you're familiar with terraform

it will feel like a terraform module if you're interested in uh proposing a mod oh sorry there's a module indices so we actually publish the indexes the indices of the modules that we are either in development or are being published uh or or have been published sorry but if you can't see the module that you want on that list then you can request you can propose a module and the link for doing that is on the screen now if if you are interested in contributing please indicate as such uh

when you create that issue what it does ptin is create a GitHub issue which we can then triage we have already um and we are able to support external contributions as long as we have a Microsoft FTE as a kind of sponsor for this and the reason for that is because we need to support it so we need to make sure it's owned and there's a person responsible in Microsoft who can do that the next and the final thing I want to uh bring up is the our module triage board now this is publicly available

kind of backlog view of all of the development and all of the modules that have been proposed and kind of this what state they're in and again if you're interested in contributing feel free to just uh leave a comment and and say so we'll hook you up with the module author team so I hope that was useful it was a very brief introduction to as of verified modules um please leave us a comment in the video below or reach out to us on LinkedIn or other sites and and we'd love to hear from you and we'd love to hear what you think about your verified modules so yeah and with that thank you very much and we'll see you

soon