Get in the (Landing) Zone With Terraform on Azure
[Music] uh so welcome everyone thank you so much for joining us today on this session we really appreciate your time and attendance today uh we'll make sure that we make uh these next 30 minutes worth your while and also for the folks who might be looking at the session in recorded format later on um uh which will be uploaded on the Hashi Corf
website uh so we're going to start off today uh with uh our session our session is called getting in the zone with uh with terraform on on Azure and uh or rather getting in the landing Zone with terraform man aure now for those of you who might have noticed um the the one of the bathroom toiletries in marot hotel does say in the zone uh body lotion so we didn't get inspired from there
so we we were a bit more genuine and we did put in a bit more effort and we basically asked chat GPT to give us the session title and description so yeah so that's how we got the session title and description um um now helping us forward towards uh introductions uh before I introduce myself and my colleague here I just wanted to uh call out uh in through Microsoft fashion all our colleagues and friends who have worked and our
community in general actually who have worked on a lot of the stuff that we're going to be presenting here today so big shout out to them and a big thank you to them not just as Microsoft as I mentioned there are customers and then and then there's a wider Community that's been helping us with that um so first of all um introducing myself my name is belal amjid and I am a Cloud solution architect uh one of my passions is to cover uh Azure Landing zones and implementing them with the terraform on
Azure um and I work as part of the customer architecture and engineering team at Microsoft which Matt is going to explain a bit more thanks Bill so my name is Matt white I am the terraform lead for Azure Landing zones amongst other things and yeah we work in customer architecture and engineering and what do we do we go really deep into customer engagements and help unblock things and help people succeed on Azure but we also are tasked with having
impact at scale a global scale so how do we do that well we write stuff to make your life easier right so terraform modules bicep modules things like that right we're going to talk to you a little bit about some of what we do today so what you going to learn we're going to cover a little bit about some of the stuff we make some of the providers and some of the modules how you then put that together to achieve something meaningful and then we're going to take it up a level
and harking back to the keynote this morning where they were saying well what's your time to First commit as a kind of uh kpi right we're going to put that all together and show you how you can deliver ready to code kind of development environments for your developers um in about 4 minutes if the demo works so let's get started the jally we want to take you on starts at the platform level and unsurprisingly being from the Azure Landing zones team we think you should start with Azure Landing zones we created that reference AR iture about 3 years ago I think and
it was in a response to customers asking us hey how do we do Landing how do we get started on Azure and we used to say well it depends that didn't go down well so what we thought we'd do is um create a reference architecture that people could use as a Northstar but I was going to talk to you about that in a minute subscription vending is the next step and you might be thinking well why do I need to bother why do I need to create subscriptions or or automate that so the subscription forms natural security boundary for your workloads or
tightly coupled workloads so it makes sense to have more smaller subscriptions than fewer larger ones it also forms a governance boundary because we in alz we do policy at the Management Group level it makes sense to uh put subscriptions in management groups and have that as your governance so if you have loads of different workloads in a subscription they all kind of got to share the same governance and so it makes sense to have fewer workloads in a subscription
so yeah moving on what we have called secure and compliant app teams at scale is that kind of how do you give an environment to your development teams that is actually useful and actually they don't have to FAU about configuring stuff finally best practice module Library so how do you get your teams to deploy resources in a secure by default fashion uh highly available by default we'll talk to you about that in a minute yeah so uh Now Matt talked about
this journey that we've been going along with customers and I think any Journey if Microsoft says hey do that that doesn't work out we really need to see that that Journey works out with our customers and customers small medium large of all sizes and all types of requirements and environments that they want to set up right one of the journeys that we've been on one of the customers as uni lever it's a I think it's a household uh uh organization that we're all familiar with will operates at at a
global scale so similarly their Azure requirements or their are also operating at a global scale we've been on this journey with them and I think from the feedback that you can see here uh uh they on this journey they've been able to set up endtoend development environments which has basically helped them uh set up uh GitHub repositories terraform workspaces and asual resources end to end now with that uh I I think so
strategically speaking we talked about the journey but you might be thinking okay show me the real stuff where's the stuff that makes it happened right so it going on to the stuff we make that tactically makes this strategic Journey happen uh starting first off with Azure Landing zones so Azure Landing zones is our prescribed uh uh prescribed way of enabling an any Azure environment at scale it's basically our goto reference
architecture or what we like to call as our notstar reference architecture one of the f a few of the focuses in this architecture are driving your governance through policy um having your subscriptions democratized as the unit of scale in your Azure environment um and then it's available uh not just in terraform but bicep and click Ops also uh and as on this slide and on further
slides that will come down the road the short link and the QR code is there for you to be able to uh get more details on it thanks below so I mentioned that we write terraform modules and one of the ones that we write is this one it is a representation of alz reference architecture in terraform and it's really easy to get started so in about 10 lines of HCL you can deploy the reference architecture which comprises of like 250 odd result
sources um but it's also really easy to customize you can we recognize that alz reference architecture is just a reference architecture people are going to want to customize it and tailor it to their needs so we can do that we can change the Management Group hierarchy we can change the policies that uh we deploy with that as well we can deploy core networking resources so we've got connectivity and management so Hub and spoke or vw1 as well as uh centralized logging so in alz we prescribe a centralized logging solution with log analytics that all gets deployed in one go with this module so it's super
easy next subscription vending so creating a subscription should not be an onerous task right but actually the subscription on its own is kind of the easy bit um this in a single module cor what we've done is wrapped up some of the common things that you need to do in order to you know kind of do the plumbing for that subscription and make it work so we can create a subscription uh you don't have to that you can use it with an existing one if you want which makes testing easier you can create one or more virtual networks or none or more
virtual networks you can paer them together so if You' got architectures that require presence in perhaps different regions you can create those v-ets and peer them all together you can also then peer those v-ets back to a hub or a VW Hub a subscription is no good if nobody can access it right so you can grant rooll assignments into that subscription and we're going to Major on Federated identity a lot today which is a really cool way of providing access from cloud cloudbased cicd Runners like GitHub
actions or terraform Cloud Y into your subscription without reiring on shared secrets so we use the magic of open ID connect to to do that uh and it's really cool it's really easy sub fending wouldn't be possible today in this current form without this provider I hope some of you were able to catch Steven SE uh Steven's session which was 15 minutes before this in the hallway track where he talked about a API so we've think this is cool in our team because it allows us to deploy
resources at any scope in a single apply if you are familiar with Azure RM you'll know that you need to give it the subscription ID when you run uh terraform in it the problem is we don't know what that is because we haven't created it yet so a API allows us to string this together in a single apply whereas if you're doing this in Azure RM you'd need to apply the subscription first take the output of that and then apply the stuff now obviously we didn't have stacks they've just announced that so maybe maybe we don't need to use it actually this is a really cool provider for other reasons as well um zero day
support for earing Azure resource um it's a fully managed terraform Resource as well it's not some hacky way of like embedding an arm template or you know lo and behold a acli local exec provisioner not that I've ever done that um into something it's a fully managed terraform resource you can create update and delete it it's got great language service support and VSS code as well so do check it out it's really really useful just as an example here's some s example resource so you can see the
type it's got a resource provider it's got a resource type but it's got an API version now that can be whatever you want as long as it's supported great if you're on some private Secret Squirrel private preview program and you need to have a private API but the parent ID is what really helps us so we can specify any scope that can be like tenant group management group subscription Resource Group resource whatever right so we can deploy resources anywhere super easy now all right so uh so we talked
about the journey and we talked about the stuff that makes that Journey possible Right Azure Landing Zone terraform module following up on that the Azure Landing Zone subscription vending module now the last mile of that journey is something that our community and our customers have been looking for us to support them with is that okay I've got a set of resources to deploy at the platform level or at the application
Level I can write the code myself for terraform but I would I would want to see Microsoft give us some guidance on code in modular form on how do we deploy certain resources so say for example keyal how does Microsoft prescribe you deploying that keyal in your environment right so that's been something which the community has been asking us for and we're happy to announce uh on this conference uh that we're coming up with that capability with something called Azure verified uh modules that will be
available not just in uh terraform but bicep and there will we were looking to have parity between the two so whether you're doing terraform or you're doing bicep you'll have parity between the two and it's for those of you who might have been familiar with earlier iterations of this that we've had uh terraform um verified modules or for bicep we used and we have carel it's amalgamation of both we're bringing them both into a
single framework called Azure verified modules what does this specifically provide you so this basically provides you specification for Quality tested and maintained modules for Azure by Microsoft uh so this is something which we hope that you would be uh that helps you part of that last mile on the journey that we've been talking about and again uh the short link and the QR code is there so please do to check out more uh uh more on uh on the on for
details and obviously your feedback is what helps us drive uh this forward now so we I think we talked good enough but let's see all of this in action right so if we want to put all of this together um what we're going to do is that we're going to go into a demo and we're going to leverage something called the Azure Landing Zone uh accelerator now what this does is that
uh it gets you going with a Q&A style approach where it's going to ask you some questions you're you're going to provide your inputs and based on that it's going to bootstrap an Azure environment for you using the Azure uh Landing Zone uh terraform module that we just looked at um set up a GitHub repo set up the action set up cicd to it and off you go uh it's going to give you some common architecture patterns which you can choose from um and then it's
aimed at beginners but uh for even uh for our more mature uh organizations and our more mature community that are looking to get set up very quickly um you you you would be able to leverage that also so with that uh let me head us into our first demo for the day um so we're going to kick off here and we're going to first of all we're in Azure portal we're going to
check the subscriptions that we have so we've got three subscriptions management connectivity and identity and within uh these three subscriptions we're going to leverage the management uh subscription particularly going into cloudshell checking our account what context uh it's set into for the subscription it's pointing to management subscription that looks good so now heading over into Powershell to run a command the command basically literally says new alz
environment you're going to provide your uh choice of cicd which is in this case is going to be GitHub you're going to provide your choice of uh IC which in this case is going to be terraform and then from uh there there on you're going to provide your details in the form of Q&A Style hey Bill out did you just put my GitHub token on no we've deleted that yeah so we've deleted that and uh so you can see it's asking you questions it's
asking you questions around your repo your uh architecture your subscriptions your networking details uh and as you kind of continue to provide that you can see that it then initializes uh based on that gives you a terao plan on what it's going to do you're going to say yes and apply and from there on it goes ahead and Provisions and bootstraps that environment that we just talked about and there you go so this is uh
obviously sped up so but it it should be fairly quick it's not that quick that we did yeah so now back into Azure portal uh so we've got two resource groups the first one shows you uh first one contains the managed identity that Matt was talking about earlier that's the managed identity which is leveraging those Federated credentials for the terraform apply and plan for our C cicd uh the second resource group contains our store storage account that storage account has a container uh that's being
used to host and securely manage our terraform State file uh over there uh and then if you go into Access Control you can see the same managed identity having access of Management Group contributor through inheriting it through uh the Management Group uh and then if you kind of scroll down you will see the same identity having uh storage blob data owner with it also so those
two roles are assigned for it to basically operate AB really fantastic so actually those two role assignments mean that we can deploy the alz reference architecture because we got and also have secure access to the state file without you having to do anything yeah fantastic absolutely so we looked at the portal now let's head over into the repo so in uh in GitHub in our organization in our repo we can basically see the team that has been set up to approve the apply terraform applies we can see the repository itself uh that uh with the code actually so you
can see the code that's bootstrapped for US based on our inputs so it's using the uh the alz terraform module that we just talked about and you can see it's set up the code all for you and it's using uh the modules for net uh Hub networking and Gateway as we specified during our Q&A uh on what we want it to deploy um and then from there it uh it goes into we we'll have a look at uh one of the other files which is going to be the terraform tfrs file you can see all
those inputs were the inputs which we provided during uh our uh uh Q&A uh that it uh that we that it was running through it set up the cicd for us if you go there go into workflows uh and uh run the continuous integration workflow that's basically going to do a terraform validation for us it's going to you can obviously if you need to update the code before you run through this uh uh outside of the Q&A that you did earlier
so it validates the terraform and then it runs a terraform plan and while it's going to run through that it's going to tell us uh about what's it's going to apply into into Azure Y and there are no shed Secrets here because we're using that Federated identity y it kind of just works really easy Y and this works with not just GitHub this works with a Azure develops uh and we're have we have it in the pipeline to for it to work with ter cloudform yeah yep and there
you go so that's you can see at the at the end of that plan it's going to create those 258 resources based on the requirements that we provided it uh and then have your Azure environment up and running with a GitHub repo set up with the code with the cicd with you just having to run through a simple Q&A yep fantastic yep cool thank you so we talked about subscription
vending not being about just a subscription it's about reducing that time to First commit so keep going back to that keynote earlier how do we make how do we give them these development teams an environment which is useful so we've done the platform stuff that's really great we set that up the process from a kind of reference architecture point of view is is on top there right you need to collect some data you need to run some pipelines you need to provision some resources right but we need to do lots and lots of things in here so this is the demo we've got for you today the code again is uh available
publicly you can have a look at that uh get repo just to say we are not Reinventing kind of request management here um we are simulating that with a uh API call to a GitHub action um we didn't know about Waypoint otherwise we would have done it on Waypoint but uh maybe next year we'll improve this uh but yeah so we're going to run a an API call we're going to kick off a GitHub action that's going to bootstrap a workspace in terraform cloud and it's going to upload some code to it and configure it it's also then going to run
and apply which is going to create our subscription resource groups identities networking if you want but we're also using the GitHub provider as well to create a git repo from a supplied template it's going to configure that and we're also going to create a user workspace for the dev teams to use right so that's the context under which their terraform will apply so if we can switch over now to the live demo gelp right um so this is the git repo were're going to use it worked earlier
um uh so we've got some modules here we've got terraform Cloud workspace module which configures the workspace for the development team we've got the landing Zone vending module which we spoke about earlier so several inputs to that uh create subscriptions user managed identities uh we've got some Federated credentials some resource groups that sort of thing and in this example uh we are pre-provisioning the subscription with uh two resource groups now I realized that that isn't actually that useful to developers but just for time purposes that's what we're
doing in a real world scenario you might provision an app Service uh an AKs environment something like that right for example if I come and ask you here through subscription wending could you deploy a three- tier uh web farm for for the application team yeah you just comp as long as you can compose it in here absolutely right totally possible so that's kind of uh once you've got your platform set up with asual Landing zones subscription wending kind of helps you when an application team comes in and says hey we want our application to be deployed on Azure the subscription
wending not just helps you with wending the subscription but also setting up that that uh that Landing Zone with that application infrastructure in there so you'll see that I've carefully changed my GitHub they to change me in this example file but this is the payload that we're sending the GitHub action you can choose whatever schema you want this is just the one we've chosen right so we're going to create some resource groups uh set some owners and this is really important as well this is the template repository that we are going to clone make a copy of okay so let's do
this uh if I go trigger vend hashy comp right that's basically sent that to GitHub actions to start the process off and now there's a random number in here so we just got to find out what that is it's 634 that's going to be important we're going to need that later so this is the GitHub repo that we've triggered the action in and you can see that ven subscription is running all I want to see here is that the terraform Cloud stuff is started
cool perfect so did run into an issue earlier but yeah didn't work ear twe it anyway uh you can see that it's created the management workspace now so it's bootstrapped that and that is now planning okay so what that's doing now I just want to take you back here and I don't know how many of you were a child in 1980s Great Britain I was just just me okay right well we had this show this is going to be a weird analogy we had this show called Blue Peter and and on Blue Peter they used to make and do things like egg
boxes paper mashes sticking stuff together right they also used to have loads of animals on stage and the Animals always used to misbehave and they go to the toilet on stage frequently it was quite amazing so but we didn't have the internet then so we had to make and do stuff right so in the spirit of blue Peta what they'd do is they'd make half of a model and then they go oh here's one we made earlier so basically that's what I'm going to do now I'm going to show you one that I made earlier while that's provisioning if you wondering that's what blue Peter looked like that's what
my childhood was like in the' 80s um we are we have got a half-built snowman right now we are going to show you a fully built snowman and then hopefully you'll come back and see the one we've just created okay um and yes that was just a waste time while there still provision stuff um so so yeah so this is the uh repo that um actually no let's get to management groups first so this is the Management Group where the subscription lives hashy comp demo the original one that we prepared earlier you can see in
here you can't see in here there you go you can see in here that uh we've got some resource groups which correspond to the resource groups in the request now in reality that might be an AKs cluster or something right um oops you can see in the identity that we again have a Federated identity the new hotness right for granting access into sub descriptions but this time the Federated credentials
are for terraform cloud and the subject identifier is uh based on the workspace and stuff that we're using yep makes sense so let's have a look at the template repository that we are using so this is the Hashi com demo template repay it's been created from that template uh and this is what we've contained it's pretty unadventurous but we wanted to show you that it's really easy to provision resources so we've got sample config here and it's going to create a v-net uh a VM a networking space and a VM with
a terrible admin password that um we probably shouldn't have put in there but anyway it's a demo uh so um what all of that uh we what we can do now is uh have a look at the GitHub actions that have been configured for us as well and this is already present all you have to do is Click go and run that and hopefully we'll get to see that in a minute because if we go back to our workspace we can see the hashy conf de although it hasn't finished I'm hoping it's created description so it's about 91 resources
right so if I scroll down here come on it has created the subscription you can see that it's also created the Management Group Association okay so let's go back to our management groups and whereas before we had one now we have two true yes so it worked it worked so we've got our new subscription freshly created um our new subscription ID again we've got uh some
resource groups here uh if I look at Resource Group one it's empty at the moment so what's the number the number is 634 okay so let's go to hashy com demo 634 and have a look at the repost just created for us it's going to look familiar it's from the same tempate cre that before right I did not no I did not create a thousand repost just to uh make sure it worked um I should have done but yeah so
let's let's just YOLO it right now cuz um we got three 3 minutes left and let's just run this and we can see the supply running so what that's going to do it's going to kick off a really short validation uh and then it's going to talk to terraform cloud and tell it to apply that configuration okay it doesn't normally take that long so it starts running does some stuff it's already doing the in it this is fantastic news so if I go back to my workspaces in terraform Cloud you'll see that it has
created a user one right in 634 okay again all of this authentication we didn't have to worry about it it's done for us so your developer now at this point creating value for your organization it's doing a plan it's great four resources you've got the VMS there it's going to work let's go back to the slides now uh and wrap this up so we've shown you some of the stuff we make some of the modules we make some of the providers we we make if you didn't catch Steven's session last time please
um come and talk to us on the Azure Booth about aapi because it's really cool um bow showed us how we can put that together to really bootstrap your platform environment and get going and in fact one of the questions that customers ask us most is cool we like your modules and stuff but how you know give us an opinionated view on pipelines and we're like okay cool here you go don't just tell it it depends like yeah don't say that um and then what we've done is we've shown you how to provision code ready development environments for your developers so they can get going get creating value really
quickly and with that that is it we really appreciate you listening um please come and see us at the Azure Booth we'll be around for the rest of the day thank you for your time thank [Music] you