Use Terraform and Azure DevOps to Provision Azure Kubernetes Service (AKS)
As many of you already know, Terraform is a service that could deploy resources through templates with Hashicop Configuration Language (HCL). HCL is just another language format like JSON or YAML. Essentially, Terraform would read through the information files with extension of “.tf” and deploy them into the cloud environment you prefer. It is the same kind of language structure for deploying in Azure, AWS and GCP. The technology industry referred the process as “Infrastructure as Code” or IaC.
In this article, we would focus on provisioning an AKS cluster on Azure.
- An Azure active directory service principal (AAD SP) that has the permissions to deploy resources within the Azure subscription.
- Create an AAD SP
- Assign the AAD SP with sufficient permissions: To save additional troubles, please assign “Contributor” to the AAD SP.
2. Understand the provisioning flow of Terraform
There are 5 steps and each step is well explained in the official documentation.
3. Install Terraform
Select the right instructions to follow depending on your working machine’s operating system. Mine is Windows Subsystem for Linux 2 (WSL2) — Ubuntu so I chose Ubuntu/Debian.
4. Provisioning the Azure resource, AKS
Follow through the official documentation for provisioning AKS on Azure. This step could be skipped since it is covered in step 1 in this article. We could see “client_id”and “client_secret” are referred from “variables.tf” in “aks_cluster.tf”. The same concept applies to other places as well. If you would like to know more details about the template to provision AKS, please check this site.
Another thing to note is that the name after each resource, for example
resource "azurerm_kubernetes_cluster" “default”
“default” is basically the short name for other code blocks to refer to the value you set previously. The following screenshot shows how AKS uses the previously defined variable’s short name.
At this point, we have completed the step “Scope” and “Author”. Time for “Initialize”. The process is simple. Just make sure you are within the directory that contains all the “.tf” files, and execute
Something similar to below should be shown in your console.
The plan is executed to know what resources would be created or destroyed.
Lastly, apply is executed for actually performing the operation.
After the apply operation has been performed, it would then be good to check the deployment on the cloud environment, Azure.
We have learned a little how Azure DevOps works in another article and we learn a little how Terraform works in this one. Why not combining them together so IaC could be integrated into the DevOps workflow? Needless to say, there are already so many DevOps/Terraform experts writing articles about how these 2 work together. I personally think this article provides explains every step clearly, but I would of course add the learnings I have when testing out.
- Azure resource group: This is to manage the storage account below
- Azure storage account and container: This is to store the Terraform provisioning state
3. Azure key vault: This is to store any sensitive/confidential information, so AAD SP could retrieve it back to the DevOps operations later instead of exposing it in Azure Pipelines.
Before we even go into the steps of integrating Terraform with Azure DevOps, you could clone my GitHub repository (forked from code-society and modified). First things first, after creating an Azure DevOps Organization and Project, please create a service connection for Azure DevOps to communicate with Azure Resource Manager (ARM). We could choose “Service principal (manual)” to reuse the one we created in the beginning of this article.
Then, we head to pipelines.
If you have cloned my GitHub and select to connect with the one forked in your own GitHub repository, a YAML file like below should be shown as below. This is because of the “azure-pipelines.yaml” inside my GitHub repository.
As we mentioned above, it is very insecure to expose any sort of sensitive/confidential information in the public GitHub repository. So, you could either use Azure DevOps secret variables or retrieve Azure Key Vault secrets as Azure DevOps environment variables.
Azure DevOps secret variables
Azure Key Vault secrets as Azure DevOps environment variables
If everything goes well, all the tasks would end with green check.
Now, it is the time for us to check whether the resources have been deployed to Azure without any issue.
In this article, we get to know a little more how to use Terraform to provision Azure resources and we get to know how to integrate Terraform with CI/CD tools. In this case, we use Azure DevOps for demonstration. Hope this is helping you a little if you are picking either Terraform or Azure DevOps! Happy learning!