Terraform On Azure: Robust IaC With Microsoft Cloud
It comes with an array of benefits, from being a well-known industry-standard language to facilitating automation.
Wondering how to make the most of Terraform Azure? The infrastructure as code tool allows users to build, change, and destroy Azure infrastructure in a safe, consistent and repeatable way. Rather than manually managing infrastructure, when you use Terraform you can manage multiple platforms, write code quickly, commit configs to version control, and track resource changes throughout your deployments.
Terraform providers use application programming interfaces (APIs) to allow Terraform to interact with a scalable cloud environment like Microsoft Azure. This article delves into Terraform basics, what Terraform Azure is, how to use it, and its benefits.
What is infrastructure as code?
Infrastructure as code (IaC) is a descriptive model for managing and provisioning infrastructure like virtual networks and machines, load balancers, firewalls and application platforms.
It works via code rather than manual processes, and uses the same versioning principles that are used for source code. Every time a certain IaC model is applied, it generates the same environment.
Why is IaC useful?
Along the release pipeline of any DevOps project, environment drift will likely occur, resulting in every individual deployment environment becoming unique. As a consequence, each environment cannot be quickly and automatically reproduced, and inconsistencies can slow down and complicate development and deployment – manual processes that could have been avoided suddenly become necessary.
IaC, therefore, prevents and/or remedies these inconsistencies. Running IaC (like Terraform) can configure unique environments into one consistent format, provide a template for all development right from the beginning, or offer a safe platform for testing modified infrastructure configurations.
If environments need to be changed or adapted mid-development, teams can edit the source code (in the form of the IaC) to roll out the changes across all environments, rather than editing each environment individually.
These features lead to additional benefits, including:
- Application testing in production-like environments that can be adjusted
- Testing for deployment issues and validating viable infrastructure configurations
- Fast roll-out of stable environments at a large scale
- Unified practices and tools across your DevOps team
What is Terraform?
HashiCorp Terraform is an open-source IaC tool that defines cloud and on-premise resources in configuration files that are human-readable and can be understood and accessed by users across different dev teams.
These files can be versioned, reused, and shared to form a consistent infrastructure workflow throughout the infrastructure’s entire lifecycle. It works by creating and managing resources through their APIs. As long as an accessible API is present, Terraform can connect any platform or service, including DNS entries, SaaS, data storage, and networking resources.
What is Terraform used for?
Terraform is capable of managing thousands of different types of resources and services, thanks to the development input of the growing Terraform community. It, therefore, provides a flexible, powerful, long-term means of managing infrastructure via the cloud.
DevOps engineers can provision the resources (physical and cloud-based) that an application needs to run, purely programmatically.
The result is fully disposable environments that can be deconstructed, modified, and rebuilt in line with testing, to identify the best possible improvements to infrastructure without the costs of real investment. Upgrading infrastructure becomes simpler and cheaper, and more effective.
Is Terraform only for Azure?
Azure is one of hundreds of systems that Terraform supports via 200 official or verified providers, and more than 2000 community-led ones.All providers can be found on the Terraform Registry.
Is Terraform a Microsoft product?
Terraform is owned by HashiCorp. However, Microsoft facilitates Terraform development by offering a dedicated team for Azure-related providers.
How and when to use Terraform with Azure
This section covers the Terraform command line interface and common commands and subcommands, plus prerequisites for Terraform to run, plugins that are compatible with Terraform, plus the state file and how to plan and apply your deployments.
Terraform CLI tools & providers
“The command line interface to Terraform is via the <terraform> command, which accepts a variety of subcommands such as ‘terraform init’ or <terraform plan>” says the Terraform documentation.
Terraform commands
If you want to view the commands available, run ‘terraform’, with no additional arguments. The main ones are:
- init – Here, you prep your working directory for other commands
- validate – This one’s all about checking whether the config is valid
- plan – Using this command, you can preview changes required by the current config
- apply – This command creates or updates infrastructure
- destroy – As you may expect, this one destroys (deletes) previously-created infrastructure
Less common and more advanced commands include console, fmt, force-unlock, get, graph, import, login, logout, output, providers, refresh, show, state, taint, untaint, version, and workspace.
If there’s something you want to learn about more, use the built-in help system that’s accessible using ‘-help’ and the relevant subcommand. For instance, if you’re keen to know about the ‘plan’ subcommand, run ‘terraform plan-help’.
Terraform requirements
What are the prerequisites for Terraform to run? It expects to be called from a working directory that has config files written in the Terraform language. You must initialize the working directory before Terraform can perform anything – for example, provisioning infrastructure or modifying state.
Terraform working directory
Terraform working directory generally contains:
- A Terraform configuration that outlines resources Terraform should manage – this is expected to change over time
- A hidden ‘.terraform’ directory that’s created during initialization and is automatically managed by Terraform. Among other things, it’s is used to manage cached provider plugins and modules
- State data, if the default ‘local’ backend is being used. If the directory only uses the default workspace, state data is managed by Terraform in a ‘terraform.tfstate’ file. If the directory uses multiple workspaces, state data is managed in a ‘terraform.tfstate.d’ directory
To initialize a working directory, run the ‘terraform init’ command. Post-initialization, you can perform other commands such as ‘terraform validate’ and ‘terraform apply’. Commands that rely on initialization will fail and show an error if you don’t run ‘terraform init’ first. Initialization prepares a directory by:
- Accessing state in the configured backend
- Downloading and installing provider plugins
- Downloading modules
To interact with cloud vendors, software as a service (SaaS) providers, and application programming interfaces (APIs), Terraform relies on plugins – aka providers. A config must declare the providers they need, so Terraform can install them.
Well-known publicly available providers include Azure (of course), Amazon Web Services (AWS), Google Cloud Platform (GCP), and Kubernetes.
Keep the state file safe and secure
Info about your infrastructure and resources created by your config is stored by default in a local state file named "terraform.tfstate". It’s also possible to store this state remotely – advantageous when you work in a team and for running in a CI/CD environment. For Terraform to function, state is a requirement. Why?
- Mapping Terraform configs to real-world resources
- Tracking metadata like resource dependencies
- Storing a cache of attribute values for resources in the state as a way to improve performance (useful for larger infrastructures)
- Syncing, so that all team members using Terraform are working with the same state, meaning operations are applied to the same remote objects
Whatever infrastructure exists that’s not in state, isn’t managed by Terraform. And wherever your state file is stored, make sure it’s safe and secure.
Plan and apply your deployments
Terraform has the ability to create, modify, and destroy infrastructure resources to match the desired state of a Terraform config. Have you heard people talk about “running Terraform”? What they usually mean is performing provisioning actions to impact real infrastructure objects.
Three basic provisioning tasks are at the heart of Terraform: ‘plan’, ‘apply’ and ‘destroy’. To expand a bit of the definitions outlined above:
- terraform plan – This assesses a config, determines the desired state, and then compares the desired state to the real infrastructure objects in the current working directory. When the difference between the current and the desired state is established, terraform plan shows a description of the changes required to reach the desired state. Note: no actual changes to real-world infrastructure objects are performed.
- terraform apply – Here you have a command that performs a plan and then also carries out the planned resource changes. The user is generally asked to confirm changes.
- terraform destroy – This command destroys (deletes) resources managed by the current working directory. How? It uses state data to ascertain which real-world objects correspond to managed resources. Again, the user is asked to confirm before going ahead and the difference is shown.
Benefits of Terraform on Azure Cloud
The pros of using Terraform for Azure infrastructure management are numerous, including a common IaC tool, automation of infrastructure, and the ability to link Azure with other services.
Moreover, Terraform has multiple providers that you can use together to create a multi-cloud, multi-system infrastructure. For example, with the same Terraform project, you can provide infrastructure in Azure, AWS, GCP, user groups and repositories in Azure DevOps and/or Github, plus dashboards in Grafana, Splunk or New Relic.
Stable and repeatable deployments
Terraform has a template-based configuration file syntax, meaning you can configure and deploy Azure resources repeatedly and predictably – in other words, automate it. By automating the deployment and management of infrastructure, you lower deployment and testing costs by creating them on-demand.
Other advantages include reducing the potential for human error while freeing up manpower for other tasks, and creating identical development, test, and production environments as a result of deploying the same template multiple times.
Well-known industry-standard language
There are other IaC tools you can use with Azure provider, like Azure Bicep, Ansible, and Pulumi.
However, Terraform emerged as the industry standard and is widely used not only for Azure, but other cloud infrastructure providers such as AWS and GCP, source code management systems like GitHub and GitLab, and monitoring systems like New Relic, Datadog, and Grafana – facilitating a "one-to-rule-them-all" approach.
Considering all the perks that come with Terraform and its wide use, it might seem as a perfect solution for everyone but, obviously, there’s no perfect tool that will cover every custom need. Terraform, like the rest of this kind of tool, has some drawbacks that you have to examine before making the final decision on what is the best option for your needs.
Manage entire Azure ecosystem in one place
A handful of Terraform providers facilitate the management of the entire Azure ecosystem, including:
- AzureRM - managing Azure resources such as Virtual Machines, Virtual Networks, Storage Accounts that can be organized in an Azure resource group or a subscription
- Azure Stack - Managing resources in Azure Stack
- AzureDevops - For configuring Azure DevOps - the Microsoft SaaS platform in terms of project management and team collaboration (formerly known as Visual Studio Team Services)
- AzureAD - Used to manage the Azure Active Directory service
- AzAPI - A relatively new provider that allows you to interact with Azure via direct calls to Resource Manager API. AzAPI compliments AzureRM by allowing interactions with resources that aren’t yet or may never be supported by AzureRM, like private or public preview services and features.
As such, Azure has more than one official provider; each targets different parts of the Azure (Microsoft) ecosystem.
Making the most of Terraform-Azure-based IaC
Terraform Azure is an excellent way to manage your Microsoft infrastructure, whether you’re starting from scratch or migrating from another provider.
The combination of Terraform and Azure gives users unparalleled flexibility, control, and reliability. With commands and subcommands like ‘plan’ or 'apply', it's easy to automate safely repeated deployments so that automation becomes possible - reducing costs in no time!