Using Terraform to manage Azure - My experience with Azure & Terraform

We're living in an Agile world, especially when it comes to the Cloud.

During the last few months, I've been working on the improvement of my company's cloud infrastructure in Azure by using Terraform, and I found it's a very powerful tool to manage the resources in the cloud.

Background story

Our Dev & Test environments are living inside a specific subscription in Azure for years. Since we didn't implement access policies for developers, the status got pretty messy at some point: people were just creating/modifying/scaling resources as they want, and most of the time through Azure Portal directly. After a while, it became unmaintainable and confusing because not everyone was following the same rules on resource naming and grouping, or you might find out some virtual machines not being used for months, redundant services got added, random instances popped up once in a while, overscaled tiers applied, etc. 

Infrastructure as Code

Using Terraform provides us the possibility to create, change and improve infrastructure safely and predictably, it supports many popular providers in the industry including AWS, Azure, Alicloud and more: https://www.terraform.io/docs/providers/index.html

In my opinion, it could bring some significant benefits to the DevOps lifecycle:

1. Set up Azure resources more quickly than usual

Since Terraform use AzureRM API directly, it helps to reduce the wait time or frontend bugs in the browser compared to clicking around through Azure Portal. In my experience, depending on the type of resource, the creation time could be 3 times less with terraform. Most importantly, you have all the configuration parameters in one file, instead of having them all over the place per service type.

Plus it saves your login and web surfing time. You can easily set up the authentication by using a service principle as described here: https://www.terraform.io/docs/providers/azurerm/auth/service_principal_client_secret.html

And another big plus is that it helps for both directions: creation and deletion. Rather than clicking on the delete button on each resource, you can do it by a simple line of command in the CLI.

2. Provide reusable provision templates

Once you've created a TF template that contains all the necessary resources of your environment, let's say 3 resource groups, 2 app service plans with 11 app services, 2 SQL servers with 5 databases, 1 application insight as an example, you can reuse it for the provision of the other environments.

All you need to do is to make sure you have a variable for the environment, and your scripts support variables but not hardcoded values.

This scenario helps the DevOps to deploy identical resources across environments and ensure the consistency between your Dev, Test, Preprod, and Prod environments big time.

3. Easy to maintain with Git or any other VCS

Since Terraform scripts are stored as .tf files, you can integrate them into your version control system, and maintain them as code.

For Azure, they have very rich documentation that contains lots of examples: https://www.terraform.io/docs/providers/azurerm/index.html

The latest version of the doc can be found on Github as well: https://github.com/terraform-providers/terraform-provider-azurerm/tree/master/website/docs/r

4. Make the cloud environments more secure and agile

By using Terraform we could avoid all the manual configuration directly through Azure Portal, and this is critical to the security of your cloud environment. It's sad but true to admit that human errors tend to happen more often than computers, and manual configuration increases the chance of screwing up the existing resources.

As an administrator of the IAAS, you definitely don't want to accidentally delete a wrong resource group.

Also, managing cloud resources should be agile and fun, not as dumb boring as clicking in a browser or receiving a timeout message after 5 hours of waiting from Azure Portal (might be exaggerated but you get my point :p)

Other thoughts

I've chosen Terraform over ARM(Azure Resource Manager) deployment templates because I found it's more clean and light, but in some situations, we still need to use ARM templates because the resource type is not supported in Terraform (such as App Service Environment). The best practice would be working with Terraform and ARM templates combined.

If you're also into DevOps & Cloud, or you have questions regarding the subject, feel free to contact me or leave comments below.