In this blog, we will look at how to create infrastructure in Azure using Terraform in a deployment pipeline using Azure. Terraform is an open-source tool for building, changing, and versioning infrastructure safely and efficiently.
I will guide you through the process of creating a Kubernetes cluster on Azure using Terraform and Azure DevOps. There is quite a bit of moving parts to configure and run through a series of steps to make it work. We will go step by step to perform a list of activities as below:
- Creating Service Principal and Client Secret using Azure CLI.
- Creating ssh key which can be used to pass through the terraform, and terraform will pass through that to AKS and we can use that to access the machines running on the Kubernetes.
- Running Bash script to create Azure Storage and Azure Vault.
- Creating the Azure DevOps pipeline to deploy ACR and Kubernetes cluster using terraform configuration files.
The diagrams below show the overall process:
The 2nd diagram is to show how to create an Azure DevOps CI/CD pipeline that will deploy and manage an Azure environment using Terraform. So terraform configuration files are pushed to the Azure DevOps repository and the YAML pipeline is created that uses the configuration files to create the Azure Container Registry and Azure Kubernetes cluster.
Before starting, you will need to have:
1. Azure Portal free account
2. Azure DevOps account
3. Azure CLI installed
4. Install Terraform
I will also assume you already have working knowledge of Azure, Azure DevOps, Terraform, Docker, and Kubernetes as it will be hard to cover everything here.
Terraform configuration files:
I have already created 3 terraform configurations files to create the resources in Azure - main.tf, variables.tf, and output.tf
main.tf is where the actual code is located to create Azure Kubernetes cluster and Container Registry and creating a storage backend to maintain the state of the terraform.
I have added these files in GitHub: https://github.com/Pujago/DeployK8sInsfrastructureUsingTerraform
We will be using these files to create a DevOps pipeline to deploy the infrastructure using Terraform.
Let's start with hands-on:
Creating a Service Principal and a Client Secret
Using a Service Principal also knows as SPN, is a best practice for DevOps. You need a service principal to be able to talk to Azure.
To authenticate using Azure CLI, use the below command:
az login
This will launch the browser and after authenticating your account, you will see as below:
Next we need to create SPN and grant Contributor rights. I am creating an SPN with the name "terraformstatesp" as below:
Please take a note of appId, password, and tenant and subscription id as we will be storing these as secrets in Azure Vault.
To see SPN created in Azure Portal, go to Azure Active Directory -> App Registration -> All Applications.This is required to maintain the state of Terraform in Azure Storage. By default, the Terraform state is stored locally when you run the terraform apply command and also it stores sensitive data in cleartext. This is not suitable when we are working in a team where we need to collaborate and share the state file, so we need to store a state in a remote backend. So we will create a storage account in Azure to use it as a backend for Terraform state.
- Creating a storage account has few commands to run:
- Creating a storage account - This will be created in the resource group created in Step 1.
- Get the storage Account Key - This is needed to allow Terraform to save the state files to the storage account, and also to create a storage container. Please note this account key to store in Azure Vault as a secret so that it can be used by Terraform.
- Create the storage container - Create a storage blob container.
We will create an Azure Vault to store appId, password, and tenant, and storage account key. And allow SPN to access the key vault.