Azure Devops with Terraform and Cisco ACI¶
Estimated time to read: 8 minutes
- Originally Written: October, 2020
We recently had an ACI opportunity where the customer network team was interested in using Terraform to manage this environment. At the same time, another team was all in with Microsoft Azure DevOps services and wanted to understand how this would integrate with Terraform/ACI.
What better way to bring the two teams together than showing them a demo of the integration.
The following posts will guide you through the steps to build the environment.
- Part 1: Architecture overview and storage setup
- Part 2: Azure pipeline setup and testing
- Part 3: Explanation of the configuration files
Component Overview¶
Terraform¶
This will be using the opensource offering won't be manually installing Terraform as this will be one of the steps in the Azure pipeline.
Github¶
This stores the source code for the following:
Terraform configuration files– these contain the necessary details to configure ACI using Terraform.Azure Pipeline configuration files– these are the files to run the pipeline, including the steps and jobs
We’ll look at each file later in the post.
Azure Devops¶
Azure DevOps provides developer services to support teams to plan work, collaborate on code development, and build and deploy applications. Developers can work in the cloud using Azure DevOps Services or on-premises using Azure DevOps Server. Azure DevOps Server was formerly named Visual Studio Team Foundation Server (TFS).
Azure DevOps provides integrated features that you can access through your web browser or IDE client. You can use one or more of the following services based on your business needs:
Azure Repos provides Git repositories or Team Foundation Version Control (TFVC) for source control of your code
Azure Pipelines provides build and release services to support continuous integration and delivery of your apps
Azure Boards delivers a suite of Agile tools to support planning and tracking work, code defects, and issues using Kanban and Scrum methods
Azure Test Plans provides several tools to test your apps, including manual/exploratory testing and continuous testing
Azure Artifacts allows teams to share Maven, npm, and NuGet packages from public and private sources and integrate package sharing into your CI/CD pipelines"
https://docs.microsoft.com/en-us/azure/devops/user-guide/what-is-azure-devops?view=azure-devops
For this demo we will be using Azure Pipelines
Azure DevOps Agent¶
This agent is responsible for running the pipeline and can be either Microsoft hosted or self-hosted. This demo will package the Azure DevOps Agent into a Docker container which will be running on your laptop. This container is where Terraform will be installed and ran.
https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=browser
Cisco ACI¶
This demo will integrate Terraform with ACI.
Amazon S3¶
Terraform keeps track of the infrastructure state. For this demo, the state file (terraform.tfstate) will live in an AWS S3 bucket as I already had one setup. You could use the equivalent Azure offering to store the state file, or any Terraform supported backend.
Installation and Setup¶
Prerequisites¶
Giton your local machineDockeron your local machineAWS(if using S3) andAzureaccounts
Git Setup¶
- Fork the example repo from the following repo to your own account.
https://github.com/conmurphy/terraform-aci-testing
How to fork a Github repo
AWS S3 Bucket setup¶
- Login to your AWS account
https://console.aws.amazon.com/
- Select or search for the
IAMservice
- On the left hand menu select
Policyand then theCreate policybutton
-
Provide a name for the new policy
-
Click
Create policy
This policy allows a user access to an S3 bucket. We now need to create a user and group to consume this policy.
- On the left hand menu of the IAM service page, navigate to
Groups, and thenCreate New Group
- Provide a group name and click next
-
In the search field find the new policy that you just created for the S3 bucket and select the checkbox
-
Keep click next until the group is created and you're back at the IAM Service page
- On the left hand menu of the IAM service page, select
Userand theAdd user
-
Provide a name for the user and select the
Programmatic accesscheck box -
Click next
- Add the user to the new group that you just created and click next until you have created the user and are back at the IAM services page.
- Select the new user and copy the
User ARN. This will be used shortly in the S3 bucket policy
-
Select the
Security credentialstab andCreate access key -
Copy the access key and secret key that are created. These will be entered into the Azure Devops page as variables
-
Select
Servicesin the top left corner of the page and then search and navigate to the Amazon S3 service -
Select
Create bucket
-
Provide a name and region for your bucket
-
Uncheck the
Block all public accessbox and check the first two as shown in the picture below -
Select
Create Bucketat the bottom
-
From the S3 main page select the newly created bucket. You should see the following page
-
Navigate to the
Permissionstab then theBucket Policysub tab
-
Paste the following code into this window.
- Make sure to update the
ARN fieldwith the value you previously copied. - Also ensure the bucket name in the
Resourceis the same as your bucket
- Make sure to update the
-
Click
Save
{
"Version": "2012-10-17",
"Id": "Policy1602768568422",
"Statement": [
{
"Sid": "Stmt1602768564929",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::878415688:user/azure_devops_terraform_aci_demo_user"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::azure-devops-terraform-aci-demo-s3-bucket",
"arn:aws:s3:::azure-devops-terraform-aci-demo-s3-bucket/*"
]
}
]
}
Recap¶
The steps we just went through:
- Create a policy that allows a user to work with S3 buckets
- Map this policy to a new group
- Create new user and add them to the group with the S3 buckets policy
- Create new S3 bucket
- Allow the user access to this bucket (JSON policy above)
If you see any errors from Terraform with an access denied error message then check the IAM user/group/policy and S3 bucket policy configuration is correct.
Next Steps¶
Part 2: Azure pipeline setup and testing