Infrastructure Management
Decisions about Cloud native tools such as ARM templates, and cloud agnostic
tools like Terraform, are crucial. That’s because tool selection dictates the way
cloud resources are created, updated and deleted. Both Terraform and ARM
templates have their pros and cons.
Terraform is an interesting automation tool for teams running their workloads
in multiple clouds or migrating from one cloud to another. The latest use case
presented us with a scenario in which the application had its footprints in both
AWS (Route 53, S3, etc.) and IAAS workloads running in Azure.
On a high level, Terraform implementation requires clearance of Hashicorp
tools from InfoSec on required security standards (PCI, NIST, etc.), and exper-
tise in using Hashicorp tools. However, in return, you can maintain code mod-
ularity, state management of the Azure resources and similar codebase for
managing both AWS and Azure. While ARM templates provide ready-made
templates to deploy Azure resources, there is no easy way to share the states
of Azure resources that are already deployed. This is important, especially in
large-scale deployments that involve multi-environment and multi-region
infrastructures. For example, there could be scenarios in which you may need
subnet IDs from the West-US when you are deploying some NSGs in the
East-US. With the inclusion of workspaces, it is now possible to share states
reliably across multiple regions or tiers. And for unsupported Azure resources,
Azure CLI can be integrated within Terraform resource blocks.
Terraform with Consul and Vault
Terraform states can be stored locally, in Azure Blob storage or in Consul.
Though Consul adds an operational overhead to its install and configurations,
it provides key value stores to store the state, and a mechanism to lock the
state files when more than one deployment is simultaneously acting on the
same state file. This capability is priceless in multiuser scenarios. Plus, Consul
lets you sync states across multiple regions. Being a key value store, Consul is
also used to store the application and other configuration data, even for work-
loads in different geographical locations.
Vault is a secret store, which uses Consul as a backend to store keys, secrets,
etc., to securely pass the admin credentials and connection string info to the
Terraform or Azure CLI. Vault also provides advanced features like CA, multi-re-
gion coverage, dynamic secrets and easy integration with Terraform. Future
iterations will include Azure Key Vault as a possible replacement for Vault.
Logging and Monitoring
To meet security requirements, any activity within the Azure infrastructure
needs to be logged. Third-party tools for logging and monitoring are quite
mature in the AWS space, but in the case of Azure, custom forwarders are
24 | THE DOPPLER | WINTER 2018