Terraform and Azure DevOps Tips and Tricks
In this final post in the series I thought it’d be useful to share some little tips and what may be thought of as tricks that I’ve come across when using Azure DevOps and Terraform. So without delay, in no particular order, here are those that are my favourites.
Capturing Terraform Values within DevOps Variables and Obfuscating
You may find yourself in the situation where you need to capture a Terraform resource configuration value to an Azure DevOps variable. This tends to be for using in a separate downstream task outside of Terraform.
Setting DevOps pipeline variables from within Terraform can be easily achieved using PowerShell and the local-exec provisioner. The following Terraform resource will capture the configuration values for you into DevOps variables.
resource "null_resource" "terraform-to-devops-vars" {
triggers = {
// always execute
uuid_trigger = "${uuid()}"
}
provisioner "local-exec" {
command = <<EOT
Write-Host "##vso[task.setvariable variable=ServicePrincipleId]${azuread_service_principal.my_app.id}"
Write-Host "##vso[task.setvariable variable=ServicePrinciplePassword]${azuread_service_principal_password.my_app.value}"
EOT
interpreter = ["PowerShell", "-Command"]
}
}
The trigger will always fire, as it uses the uuid() function that will always generate a changed value.
Somebody Call Security…
If we leave things as they are, we will unfortunately expose our variables from within the DevOps outputs, such as the pipeline execution log, which for some values, such as secrets is going to create a security concern.
There is a native DevOps solution to this, and that is to use the IsSecret flag on the task.setvariable call, as below.
Write-Host "##vso[task.setvariable variable=DatabricksSecret;IsSecret=true]${azuread_service_principal_password.databricks.value}"
This will avoid any ‘leaky values’ and allow variables to capture Terraform values safely for use within the pipeline with no unwanted exposure.
Tracking File Changes using MD5 Hashes
Terraform does a great job of determining which resources have changed and need to be updated whenever a ‘Plan‘ or ‘Apply‘ action is made. There are times however when you will want to include other files in your Terraform configurations, such as when using a JSON file to store a REST payload for use in a script. In order to determine whether resources that use these files need to be included in the deployment, we can check against the MD5 hash of the file to see whether the file has changed. To redeploy the resource when the file has changed, we use a trigger that employs the filemd5() function, as below:
resource "null_resource" "exec_some_rest_with_payload_file" {
triggers = {
some_payload_changed = "${filemd5("${path.module}\\..\\Payloads\\SomePayload.json")}"
}
provisioner "local-exec" {
command = <<EOT
.'${path.module}\..\Scripts\REST\ExecuteSomeRest.ps1' `
-ApiRootUrl "https://${var.location}.${var.some_api_root_url_suffix}" `
-SubscriptionId "${var.subscription_id}" `
-TenantId "${var.tenant_id}" `
-ApplicationId "${var.client_id}" `
-Secret "${var.client_secret}" `
-Payload ""${path.module}\..\Payloads\SomePayload.json"
EOT
interpreter = ["PowerShell", "-Command"]
}
}
This ensures that changes to related files used within our deployment are treated in a similar manner to changes to Terraform resource definitions. Nothing too clever this one of our tips and trick, and not really Azure DevOps-specific, just out-of-the-box Terraform native stuff. All the same something very useful that you may not be aware of.
Substituting Resource-Specific Outputs into Non-Terraform Files
This is one of the Terraform Azure DevOps tips and tricks that I find most useful. I’ve used it a lot when there are elements of API calls involved in the deployment. There are plenty of occasions where we find ourselves using scripts for elements of our deployment. Often we will supply a script with a JSON file or similar that contains a number of Terraform resource attributes for use in the script. A classic example of this is as with the above payload for a REST request body. These values may not be available however until deployment time, such as when needing resource module outputs that contain values generated at creation time, such as platform-specific unique ids. Hmmm, what’s a Terraformer to do?
Detokenising to the Rescue
A common technique often used with application or web .config files in the DotNet world is to use placeholder tokens in the config files and then replace these with the required configuration values that are passed in at deployment time. This ‘detokenising’ approach can be employed within Terraform as well. Here’s a simple example of a placeholder from such a file,
"some_platform_resource_id": "#{some_resource_id_as_output}#"
where here we have used ‘#{‘ and ‘}#’ characters to demarcate our placeholders.
We can replace the placeholder tokens in the file using a simple script such as the PowerShell shown below.
param(
[string] $BaseFilePath,
[string] $FileFilters,
[PSCustomObject] $TokenValues
)
Function Update-FileTokens {
param(
[string] $BaseFilePath,
[string] $FileFilters,
[PSCustomObject] $TokenValues
)
<#
.SYNOPSIS
Updates placholder values in a group of files with their replacements.
.DESCRIPTION
Calls the Update-FileToken procedure for files at the base path included based on the names filters.
.PARAMETER BaseFilePath
The path from which to include files, including all subfolders
.PARAMETER FileFilters
A CSV string of the filters to apply to file names.
.PARAMETER TokenValues
A hashtable of tokens and the values to replace them with.
#>
foreach ($filter in $FileFilters.Split(',')) {
$fileNames = Get-ChildItem -Path $BaseFilePath -Recurse -Filter $filter | Select-Object FullName `
foreach ($fileName in $fileNames) {
Write-Host "Started replacing tokens in $($fileName.FullName)."
Update-Tokens -FilePath $fileName.FullName -TokenValues $TokenValues
Write-Host "Finished replacing tokens in $($fileName.FullName)."
}
}
}
Function Update-Tokens {
param(
[string] $FilePath,
[PSCustomObject] $TokenValues
)
<#
.SYNOPSIS
Updates placholder token values in a group of files with their replacements.
.DESCRIPTION
Calls the Update-FileToken procedure for files at the base path included based on the names filters.
.PARAMETER FilePath
The path from of the file for token replacements
.PARAMETER TokenValues
A hashtable of tokens and the values to replace them with.
#>
$content = (Get-Content -Path $FilePath)
$TokenValues.GetEnumerator() | ForEach-Object {
$content = $content -replace $_.Key, $_.Value
}
Set-Content -Value $content -Path $FilePath
}
Update-FileTokens -BaseFilePath $BaseFilePath -FileFilters $FileFilters -TokenValues $TokenValues
We pass in a hash table object keyed on the placeholder tokens that we want to replace, such as ‘#{some_resource_id_as_output}#‘ above, with the values of the hash table entries being the replacements we want to substitute for. The above script will update the placeholders with their values in all files that match the BaseFilePath and FileFilters. Pretty straight-forward stuff.
In order to execute this within Terraform, with the required substitutions made at runtime, we can again use the local-exec provisioner with a PowerShell interpreter, constructing the hash table parameter from our resource attributes and variables and passing this in to the script call. The referencing of the module resource attributes will ensure that the replacements are triggered after these values have been made available so we don’t need any ‘depends_on’ clauses. The following resource snippet shows an example of these placeholders in action.
resource "null_resource" "update-file-tokens-payload-json" {
triggers = {
// always execute
value = "${uuid() }"
}
provisioner "local-exec" {
command = <<EOT
.'${path.module}\..\scripts\util\Update-FileTokens.ps1' `
-BaseFilePath '${path.module}\..' `
-FileFilters '*.payload.json' `
-TokenValues @{
'#{some_config_from_var}#' = "${var.dbr_executable_storage_mount_name}"
'#{some_resource_id_as_output}#' = "${azurerm_template_deployment.some-arm.some-id-as-output}"
'#{some_config_from_secret}#' = "${var.some-secret-value}"
}
EOT
interpreter = ["PowerShell", "-Command"]
}
}
Once our required file has been processed using our Update-FileTokens.ps1 script, we can use the filemd5() trigger approach shown above to determine whether any resources that use this file need to be redeployed. If the file content has been changed by the detokenising, the resource will be redeployed as required.
Adopting this approach is very useful when using Rest API calls with JSON payloads for some elements of the Terraform deployment process. We can keep the payloads in their own JSON files, with any references to Terraform resource outputs and the like as placeholders,. Providing we call our Update-FileTokens.ps1 script before these JSON files are used we are able to treat these API calls like other resource definitions.
Summing Up
Thanks for reading. Quite a long one this time but I do hope the above Terraform and Azure DevOps tips and tricks prove to be of use to you Terraformers out there. Adding these strings to your bow may just help with those situations where Terraform doesn’t immediately offer up an obvious solution to realising your infrastructure management needs.
If you have any helpful techniques or simple tricks and tips to add or any questions on the above I’d love to hear about them in the comments below.
And That’s a Wrap
That winds up this series on Terraform on Azure. I’ve really enjoyed sharing my thoughts, opinions and experiences of this great combination of tooling that really empowers you on your Azure journeys. Over to you to stake your claim in the Cloud. May your deployments be idempotent, your Infrastructure as Code transparent and your solutions, well, just plain amazing.
Terraform with Azure DevOps: Key Vault Secrets
Key Vault Secrets, Terraform and DevOps
This article discusses the incorporation of Key Vault Secret values in Terraform modules and how they can be used as part of a release pipeline definition on Azure DevOps.
Azure Key Vault
Secret management done right in Azure basically involves Key Vault. If you’re not familiar with this Azure offering, you can get the low-down at the following link:
https://docs.microsoft.com/en-us/azure/key-vault/
This article assumes you have followed best practice regarding securing your state file, as described in Terraform with Azure DevOps: Setup. Outputs relating to Secret values will be stored within the state file, so this is essential for maintaining confidentiality.
There are two key approaches to using Key Vault secrets within your Terraform deployments.
Data Sources for Key Vault and Secrets Data References.
This involves using Terraform to retrieve the required Key Vault. One of the advantages of this method is that it avoids the need to create variables within Azure DevOps for use within the Terraform modules. This can save a lot of ‘to-ing and fro-ing’ between Terraform modules and the DevOps portal, leaving you to work solely with Terraform for the duration. It also has the advantage of being self-contained within Terraform, allowing for easier testing and portability.
Azure Key Vault Data Source
We’ll assume you have created a Key Vault using the azurerm_key_vault resource type, added some secrets using the azurerm_key_vault_secret and set an azurerm_key_vault_access_policy for the required Users, Service Principals, Security Groups and/or Azure AD Applications.
If you don’t have the Key Vault and related Secrets available in the current Terraform modules that you are using, you will need to add a data source for these resources in order to reference these. This is typically the case if you have a previously deployed (perhaps centrally controlled) Key Vault and Secrets.
Setting up the Key Vault data source in the same Azure AD tenant is simply a matter of supplying the Key Vault name and Resource Group. Once this is done you can access various outputs such as Vault URI although in practice you’ll only really need the id attribute to refer to in Secret data sources.
data "azurerm_key_vault" "otherworld-visitors" {
name = "ET-and-friends"
resource_group_name = "central-rg-01"
}
output "vault_uri" {
value = data.azurerm_key_vault.central.vault_uri
}
I’ll leave you to browse the official definition for the azurerm_key_vault data source for further information on outputs.
Azure Key Vault Secrets Data Source
Create Key Vault Secret data sources for each of the secrets you require.
data "azurerm_key_vault_secret" "ufo-admin-login-password" {
name = "area-51-admin-password"
key_vault_id = data.azurerm_key_vault.otherworld-visitors.id
}
output "secret_value" {
value = data.azurerm_key_vault_secret.ufo-admin-login-password.value
}
There are again a number of outputs for the data source, including the Secret value, version and id attributes.
You can then reference the Secret’s value by using the respective Key Vault Secret data source value attribute wherever your module attributes require it.
resource "azurerm_sql_database" "area-51-db" {
name = "LittleGreenPeople"
administrator_login_password = "${data.azurerm_key_vault_secret.ufo-admin-login-password.value}"
....
}
If you are using a centralised variables file within each module, which aligns with recommended best practice, this means only having to change the one file when introducing new secrets. Our variables file simply references the required Key Vault Secret data sources as below,
ufo_admin_login_password = "${data.azurerm_key_vault_secret.ufo-admin-login-password.value}"
and our module resource includes the variable reference.
resource "azurerm_sql_database" "area-51-db" {
name = "LittleGreenPeople"
administrator_login_password = "${var.ufo_admin_login_password}"
....
}
As previously mentioned this has not involved any Azure DevOps elements and the Terraform won’t require additional input variables in order to work with the Key Vault Secrets.
Retrieval of Key Vault Secret Values into DevOps Variables
The second approach uses a combination of DevOps variable groups and Terraform functionality to achieve the same end result.
DevOps Key Vault Variable Group
The first step is to grab our secrets into DevOps variables for use within the pipeline. Variable groups can be linked to a Key Vault as below.
This then allows the mapping of Secrets to DevOps variables for use within the various tasks of our pipelines.
I’ll demonstrate two ways to work with these variables within our Terraform modules. I’m sure there are others of course, but these are ones that I’ve found simplest for DevOps – Terraform integration.
Replacement of Tokenised Placeholders
The Replace Tokens task can be used to to replace delimited placeholders with secret values stored in variables. This does of course require that you adopt a standard for your placeholders that can be used across your modules. This approach can result in code that is disjointed to read, but is a common practice with artifacts such as app.config files in the DotNet world. The advantage of this is that you can take a single approach to Secret substitution. We can use Token replacement for both of these areas your code, be it Terraform IaC or DotNet.
Use of ‘TF_VAR_’ Variables
The other technique I mention here is the use of the inbuilt support for variables with names that are prefixed ‘TF_VAR_’. Any environment variables with this naming convention will be mapped by design to Terraform variables within your modules. More information from Terraform docs is available at https://www.terraform.io/docs/commands/environment-variables.html.
We can pass DevOps variables that have been populated with Secrets values into the Terraform task as Environment Variables. You can then use standard variable substitution within your modules. So, ‘TF_VAR_my_secret’ will substitute for the ‘my_secret’ Terraform variable. Please note that all DevOps variables containing secret values should be marked as sensitive. This then obfuscates the variable values within the DevOps log.
Summing Up
Terraform and Azure DevOps allow more than one method for building pipelines that require secrets stored within Key Vault. For me, the Terraform ‘native’ approach of using Key Vault and Key Vault secrets data sources via the Azure RM Terraform provider is the simplest approach. There is no overhead of managing DevOps variables involved which keeps things nicely contained. You may of course prefer alternatives such as those others shown above or have another method, which I’d love to hear about.
I hope this post has provided some insight into using Terraform within Azure DevOps. These two technologies are a winning combination in address real-world Infrastructure as Code adoption within your organisation.
In the final post of this series I’ll be looking at best practices for managing your code using Terraform Modules.
Terraform with Azure DevOps: Setup
Getting Started with Terraform and Azure DevOps
This post discusses some initial tasks when starting to use Terraform for your CI/CD workflow with Azure DevOps.
Storage of the State File
The Terraform state file contains all information regarding the deployment of the resources to the target environment. This can include sensitive information such as storage keys and other secrets that may be output from Terraform. If you are working in a team environment, you will want to store this file where it can be used by the team, the obvious choice if you are working in Azure being a storage account. When running your Terraform deployments with Azure DevOps the only user account that should have access permissions granted to this storage account is that under which the DevOps release pipelines are being executed. It is critical to the security of your deployments to ensure this is in place before proceeding with Terraform as your resource management solution. You can find a great tutorial from Microsoft which walks you through setting this up at the following link.
https://docs.microsoft.com/en-gb/azure/terraform/terraform-backend
Importing Existing Resources
For those already established in Azure, it is likely that some of your resources will not be part of your IaC code base, for whatever reason. In order to complete the picture for future deployment efforts you’ll want to bring these into Terraform resource definitions and ensure that the state file reflects the correct picture. Fail to do this and Terraform will tear them down seeing them as undesired leftovers from previous deployment efforts. One area where Terraform lags significantly behind ARM Templates is in creating infrastructure definitions from existing resources.
With ARM, the majority of deployed resources within Azure can be exported from the portal to a template file which you can then amend, further parameterise if needed and store within your IaC repository.
Terraform’s ‘import’ command does allow something similar in spirit but which requires a lot more manual work in order to reach the same result. You can read about this here.
https://www.terraform.io/docs/import/index.html
Let’s take a look at what we need to bring a resource under Terraform control.
Create a Skeleton Resource Definition
In order to bring the resource in, we need to create a resource definition for the desired resource, which can be simply of the form <resourceType>.<resourceName>, e.g.
resource "azurerm_storage_account" "datalake-storage" {
}
Pretty straight forward.
Import the Resource
With our skeleton resource definition in place, running Terraform’s import command will populate the state file with the required resource attributes from the deployed resource. With our above resource we would execute the following, where the resource_id is the desired Azure resource id.
terraform import azurerm_storage_account.datalake-storage /subscriptions/<subscriptionId>/resourceGroups/<myresourcegroup>/providers/Microsoft.Storage/storageAccounts/<myaccount>
Okay, so now our state file reflects the resource we have imported. Terraform is now aware of its existence and won’t squish it like an unnoticed cherry tomato that strayed out of the fridge.
Update the Terraform Resource Definition
With the required information in the state file, we then need to extract the required information. This can be done by the Terraform show command, as below:
terraform show -json
This will output the state file information in JSON format, giving you the information required for the definition.
Next comes the not so fun bit. At present there is no means to auto-populate the definition from the state info. This leaves a manual exercise to update the resource definition file to complete the Terraform definition. You’ll need to refer to the Terraform Azure resource definition attribute documentation as you go for this. This may take a while if you have a number of resources. There are thankfully plans to automatically populate the resource definition file as part of the import.
State Drift and Terraform Refresh
Due to Terraform’s state file centric view of the world, it will be blissfully unaware of any operations undertaken outside of its deployments. When using the IaC approach to resource deployment with Terraform this is something that shouldn’t really happen but sometimes things can slip through. This issue of ‘state drift’ is something that we can however correct for with the ‘Terraform refresh’ command, as described here.
https://www.terraform.io/docs/commands/refresh.html
Terraform refresh will amend resource definitions stored in the state file. The state file must exist as the refresh command is not able to recreate the file itself completely. Again, as there is no auto-populating of the resource definitions, you’ll need to use Terraform show to extract the resource information and another manual update to align things.
Summing Up
Setting up Terraform on Azure for DevOps is something that will really get you on the right CI/CD path to Azure estate IaC management. Bringing existing resources into the Terraform fold is not straight forward and you should plan a reasonable amount of time for it, though this will change in a future release. Once in, you’ll really start to see it paying dividends for all your DevOps activities. You may even start to wonder how you previously got by without it. In the final posts in this series we’ll be looking at integration with Release Pipelines, Secrets management and some other usability tips and tricks. See you soon for more Terraforming.
