Terraform and Azure Pipelines - Avoid these Beginner's Mistakes!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi my name is julie i'm an engineer at microsoft and welcome to my two long didn't read video about terraform and azure pipeline's best practices like all my videos this is going to be about world-class engineering in real life no hello worlds so check it out if you want to skip some beginners mistakes but please read the entire article which explains much in much more detail and looking at source code the reasoning behind these recommendations and don't forget to like this video comment with feedback ask questions and subscribe for more so the first tip is to use yaml pipelines not the classic ui driven pipelines those are legacy from team foundation server what you want to do is use pipelines as code that's industry standard that's industry trend and in azure devops that's azure pipelines use the ammo so the second tip is to use terraform on the command line not the yaml task the yamo task looks simpler at first glance but over time they end up being just yet another abstraction layer that you have to debug more importantly i want you to master technology i want you to master terraform i want you to master git on the command line not a yaml task to really understand the consequences of what you're doing and how to scale right not just across multiple teams but also over multiple environments you need to understand terraform very well and you do that best by using the command line not a yaml task okay tip number three use terraform partial configuration when you're starting out you're reading the documentation and you find an example it looks really easy to read however it is including the storage account name the file name but also the access key and the sas token and if you keep reading to the end of the documentation you'll see that it's supposed to look like this empty partial configuration all that data that is specific to you is actually stored somewhere else so on my local machine i use a file i call it azure.conf okay i do not use tf bars which are automatically loaded that's a security issue waiting to happen um i use conf as an extension to tell my brain that's a config file with credentials be careful make sure it's in git ignore which mine is when i'm in a pipeline i don't load a secure file uh what i do instead is pass each one of those parameters as a secret via the backend config property to the terraform command line it makes it very easy to follow where is something coming from and where is it going makes debugging super easy and this explicit step is not a bad thing that's why if you use variables set as secrets in azure pipelines you have to explicitly map those to the environment so i recommend going a step further and not just using pipeline secrets but also integrating azure key vault so number four how do you authenticate to the azure resource manager api if you're not using the task and a service connection easy you're just going to set the client id and the client secret of the service principle into your environment as environment variables you might think is that safe yes if you were to look into the source code of the official task the one for the azure cli it's doing just that go look in the terraform documentation that's what they recommend set those values into the environment okay final tip create a custom role for terraform you're using terraform to create and manage infrastructure which is the foundational layer for your cloud workload and in this layer you also probably want to add a certain number of protections to do that a contributor role is not enough to look at what contributors can do we can run this azure cli command now if we look at it there are two things that are interesting the microsoft authorizations which you'll see there's a write and there's a delete we want to give it the right permission so that it can for example create an azure key vault access policy what some people will do is say oh i can't do that with contributor i'm just going to give it owner rights that's god mode you don't want to do that and another use case that will happen is that if you work for a compliant industry where i come from um there are certain things you cannot delete for legal reasons and to do that you apply you apply a management lock on the arm side that actually can prevent it from being deleted however to make sure that that actually has an effect you have to make sure that your terraformed service principle cannot remove that lock right we want to ensure that a human can that only human can do that so make sure terraform cannot do it create a custom role just for terraform so there you have it five best practices and tips to help you get started using terraform with azure pipelines like a pro uh subscribe to this channel because i'm gonna add some more content if you like it definitely read the whole article it's really really long but it explains everything in detail much better than i can on camera like that so read it check it out subscribe and see you soon

Info

Channel: Julie Ng

Views: 16,639

Rating: undefined out of 5

Keywords:

Id: UaehcmoMAFc

Channel Id: undefined

Length: 5min 3sec (303 seconds)

Published: Sat Jan 16 2021