Terraform

What is idempotency?

Idempotency is a term that's used in both mathematics and computer science.

An idempotent operation is one that provides the same result each time you apply it.

What is imperative vs. declarative code?

Generally speaking, imperative code defines both what the program should accomplish and how to achieve the result

In contrast, declarative code defines what the program should accomplish but does not define how to achieve the result.

Think about how you write code in languages like Python, C#, or Java. Each of these languages is imperative. You use variables, conditional statements, and loops to control the state of your program and express the steps you need.

Compare these languages to HTML, which is declarative. HTML describes what elements appear on the page, but it doesn't describe how to display them. The "how" is the web browser's responsibility.

When you're relating imperative and declarative code to infrastructure, consider a few examples. This example shows a Bash script that creates an Azure resource group, an App Service plan, and an App Service instance that uses that plan:

#!/bin/bash

# Create the resource group.

az group create \

  --name my-rg \

  --location westus

# Create the app service plan.

az appservice plan create \

  --resource-group my-rg \

  --name my-asp

# Create the app service.

az webapp create \

  --resource-group my-rg \

  --plan my-asp \

  --name my-webapp

Here, you have full control over the order of each step and how to run each command. Compare this to the following Terraform plan, which accomplishes the same task

resource "azurerm_resource_group" "my" {

  name     = "my-rg"

  location = "westus"

}

resource "azurerm_app_service_plan" "my" {

  name                = "my-asp"

  location            = "westus"

  resource_group_name = "my-rg"

  kind                = "Linux"

  reserved            = true

  sku {

    tier = "Basic"

    size = "B1"

  }

}

resource "azurerm_app_service" "my" {

  name                = "my-appsvc"

  location            = "westus"

  resource_group_name = "my-rg"

  app_service_plan_id = azurerm_app_service_plan.my.id

}

This code is written in Hashicorp Configuration Language (HCL), a declarative language that supports Terraform. Here, you have less control over the order of the steps or how Terraform accomplishes each step. The advantage is that you need only to specify the infrastructure that you want. Terraform figures out the details.

Which approach is better?

When you're considering an imperative versus a declarative approach to your infrastructure, don't focus on which approach is better. Instead, consider the tools that you can use. Choose the tool that matches your skills and best meets your needs.

Some prefer an imperative approach because it gives you fuller control over how your infrastructure is managed. But consider the Bash script that you saw earlier. Say you want to modify the resource group's location from "westus" to "northeurope."

#!/bin/bash

# Create the resource group.

az group create \

  --name my-rg \

  --location northeurope

# Create the app service plan.

az appservice plan create \

  --resource-group my-rg \

  --name my-asp

# Create the app service.

az webapp create \

  --resource-group my-rg \

  --plan my-asp \

  --name my-webapp

When you run this Bash script, you get an error that says the resource group already exists in another location.

Invalid resource group location 'northeurope'. The Resource group already exists in location 'westus'.

To fix this error, you might first delete the existing resource group and then run the Bash script a second time to create a new set of resources. Or you might run the az resource move command to move the existing resources within that resource group to the new location.

In the corresponding Terraform plan, Terraform creates a dependency graph for all the resources that you describe. The graph creates an overall description of what you're building. In doing so, Terraform can often adjust your resources to match your desired state.

resource "azurerm_resource_group" "my" {

  name     = "my-rg"

  location = "northeurope"

}

resource "azurerm_app_service_plan" "my" {

  name                = "my-asp"

  location            = "northeurope"

  resource_group_name = "my-rg"

  kind                = "Linux"

  reserved            = true

  sku {

    tier = "Basic"

    size = "B1"

  }

}

resource "azurerm_app_service" "my" {

  name                = "my-appsvc"

  location            = "northeurope"

  resource_group_name = "my-rg"

  app_service_plan_id = azurerm_app_service_plan.my.id

}

In this case, Terraform must re-create the resource group because you can't reassign a resource group's location. Terraform must also re-create the App Service plan and the App Service instance because it understands that they depend on the resource group.

Terraform takes care of these details for you. All you needed to do was define your requirements.

What tools can you use to apply infrastructure code?

Azure CLI

Azure PowerShell

Azure Resource Manager templates

Ansible

Terraform

Azure SDK

Azure CLI

You can use the Azure CLI to connect to Azure and run administrative commands on Azure resources. As with other command-line interfaces, you can run commands directly from a terminal, or you can add commands to a Bash script or a PowerShell script. The Azure CLI runs on Windows, macOS, or Linux. You can also access it from Cloud Shell.

Here's a basic example that uses the az group create command to create an Azure resource group named "my-rg" in the "westus" location:

az group create \

  --name my-rg \

  --location westus

Azure PowerShell

Azure PowerShell is a module that you add to Windows PowerShell or PowerShell Core. You can then connect to your Azure subscription and manage resources.

Azure PowerShell requires PowerShell to function. PowerShell provides services like the shell window and command parsing. Azure PowerShell adds the Azure-specific commands.

Here's a basic example that uses the New-AzResourceGroup cmdlet to create an Azure resource group that's named "my-rg" in the "West US" location:

New-AzResourceGroup `

  -Name my-rg `

  -Location "West US"

If you run this command multiple times, you get the same resource group back each time. So this command becomes an idempotent operation.

Azure PowerShell is also available two ways:

Inside a browser via Cloud Shell

Locally on Windows, macOS, or Linux

In both cases, you have two modes to choose from. You can use Azure PowerShell in interactive mode, in which you manually issue one command at a time. Or you can use it in scripting mode, where you run a script that consists of multiple commands.

The Azure CLI and Azure PowerShell are roughly equal in terms of what they can do. 

When you're deciding between the Azure CLI and Azure PowerShell, 

choose the one that best fits your team's skills. 

For example, 

if you use PowerShell to administer Windows, 

you'll quickly become comfortable with using Azure PowerShell. 

If you write Bash scripts to administer Linux, you might prefer the Azure CLI.

Azure Resource Manager templates

Azure Resource Manager is the interface for managing and organizing cloud resources. Think of Resource Manager as a way to deploy cloud resources.

If you're familiar with Azure resource groups, you know that they enable you to treat sets of related resources as a single unit. Resource Manager is what organizes the resource groups that let you deploy, manage, and delete all of the resources together in a single action.

A Resource Manager template precisely defines all the Resource Manager resources in a deployment. You can deploy a Resource Manager template into a resource group as a single operation.

A Resource Manager template is a JSON file, making it a form of declarative automation. Here's a basic example that defines an Azure resource group named "my-rg" in the "westus" location:

{

  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",

  "contentVersion": "1.0.0.1",

  "resources": [

    {

      "type": "Microsoft.Resources/resourceGroups",

      "apiVersion": "2018-05-01",

      "location": "westus",

      "name": "my-rg",

      "properties": {}

    }

  ]

}

You can run this template from Azure PowerShell, the Azure CLI, or the Azure portal. Or you can run it from application code through a REST service or API. Here's an example that uses the Azure CLI command az deployment create to deploy the template:

az deployment create --template-file test.json

If you run this command multiple times, you get the same resource group back each time. So this command becomes an idempotent operation.

Note:

Resource manager templates as 'ARM templates'. but preferable to called as 'Azure Resource Manager templates" or "Resource Manager templates"

Ansible

Ansible is an open-source product that's sponsored by Red Hat. It automates cloud provisioning, configuration management, and application deployments. You can use Ansible to provision Azure resources such as virtual machines, containers, networks, and even complete cloud infrastructures. You can also use Ansible to configure your Azure resources after they're provisioned.

In addition to Azure, Ansible supports other public clouds and private cloud frameworks.

You can run Ansible commands directly, or you can write playbooks to deploy more complex configurations. A playbook is a YAML file, making it a form of declarative automation. Here's a basic example that defines an Azure resource group named "my-rg" in the "westus" location:

- name: Example configuration
  hosts: localhost
  connection: local
  tasks:
  - name: Create resource group
    azure_rm_resourcegroup:
      name: my-rg

      location: westus


You use the ansible-playbook command to apply this configuration, like this:

ansible-playbook example.yml

If you run this command multiple times, you get the same resource group back each time. So this command becomes an idempotent operation.

Terraform

Terraform, by HashiCorp, is an open-source tool that provisions and manages cloud infrastructure. Terraform's command-line interface provides you with a simple way to provision Azure resources such as virtual machines, containers, and networks.

Terraform generates an execution plan that describes what it will do to reach the desired state. You can review this execution plan and then run the plan to apply the configuration. As your configuration changes, Terraform determines what has changed and creates incremental execution plans to update only what's necessary.

In addition to Azure, Terraform supports other public clouds and private cloud frameworks.

You typically write Terraform code in HCL. But you can also express your Terraform configuration by using JSON. HCL and JSON are forms of declarative automation. Here's a basic example written in HCL that defines an Azure resource group named "my-rg" in the "westus" location:

resource "azurerm_resource_group" "my" {

  name     = "my-rg"

  location = "westus"

}

You use the terraform apply command to apply this configuration, like this:

terraform apply

If you run this command multiple times, you get the same resource group back each time. So this command becomes an idempotent operation.

Azure SDK

The Azure SDK enables you to access and manage Azure resources from application code by using your favorite programming languages.

The Azure SDK is available for languages such as Java, Node, Python, Ruby, PHP, .NET, and Go. You can also use a REST API to access Azure resources from any programming language.

Here's an example that uses the Azure SDK for .NET to create an Azure resource group named "my-rg" in the "westus" location. This example is written in C#.

IResourceGroup resourceGroup = azure.ResourceGroups

  .Define("my-rg")

  .WithRegion(Region.USWest)

  .Create();

Where can I run my infrastructure code?

You can run your infrastructure code from:

A terminal window or PowerShell

Cloud Shell

A CI/CD pipeline, including Azure Pipelines

Writing infrastructure code can be an iterative process. As you test new ideas, you might need to bring up and tear down your configurations multiple times. For more complex configurations, you might define your infrastructure in smaller pieces, and then fit those pieces together to form your complete cloud infrastructure.

During the development phase, you typically run your infrastructure code directly from a terminal window or Cloud Shell. Visual Studio Code provides add-ins that help you write configuration code. You can run your configuration code from the integrated terminal in Visual Studio Code. Cloud Shell is also a popular choice because it comes with everything you need to run any of the options that we discussed here: Azure CLI, Azure PowerShell, Azure Resource Manager templates, Ansible, and Terraform.

After you have the working configuration that you need, you typically check in your infrastructure code to source control along with your application code. You can then version, build, test, and deploy your applications as a unit.

Because your infrastructure code is maintained along with your application code, you can run your infrastructure code in the pipeline. You might configure the pipeline to apply your infrastructure code after it builds the application, but before you deploy your application to a running environment.

In this module, you first apply a Terraform plan from Cloud Shell to see it working. Then you run it from Azure Pipelines to provision infrastructure for your web application.