To configure Azure Hybrid Join using Terraform, you'll need to start by creating a service principal in Azure Active Directory. This service principal will be used to authenticate Terraform and manage Azure resources.
In Azure, navigate to the Azure Active Directory section and click on "App registrations" to create a new application. You'll need to provide a name and redirect URI for the application.
Terraform will use the client ID and client secret of this service principal to authenticate and manage Azure resources. Make sure to note down these values for later use.
To configure Azure Hybrid Join, you'll need to create a new Azure Active Directory tenant if you haven't already. This can be done by navigating to the Azure Active Directory section and clicking on "Create a tenant".
What is Terraform?
Terraform is an infrastructure-as-code (IaC) tool that allows you to define and provision data center infrastructure using a declarative configuration language.
It supports multiple cloud providers, including Microsoft Azure, which makes it a great choice for managing your Azure resources.
Using Terraform on Azure, you can create, manage, and update resources like virtual machines, storage accounts, and networking interfaces.
This ensures consistent and reproducible infrastructure deployment across different environments.
A typical Terraform workflow involves writing the infrastructure as code in configuration files.
This is a crucial step in automating infrastructure provisioning and configuration changes.
Initializing and planning to preview the changes is the next step in the Terraform workflow.
This allows you to see what changes will be made before actually applying them.
Applying those changes to provision the infrastructure is the final step in the Terraform workflow.
This is where the actual infrastructure provisioning happens, based on the configuration files you wrote earlier.
Preparation and Setup
To prepare for an Azure Hybrid Join using Terraform, you'll need a few things set up first. You'll need a GitHub account, a Microsoft account, and an Azure subscription. Additionally, you'll need an Azure AD Premium P1/P2 license to configure certain security features.
You'll also need to install Azure CLI and Terraform on your machine. Make sure you have credentials for authentication, as Terraform will pick up Azure credentials implicitly from the environment if you've already authenticated with Azure CLI.
Here are the pre-requisites listed out for you:
- GitHub Account
- Microsoft Account
- Azure Subscription
- Azure AD Premium P1/P2 license
- Azure CLI installed and credentials for authentication
- Terraform installed
- Azure RG, Storage account and blob container setup for remote Terraform state files.
Pre-Requisites
Before we dive into the setup process, let's make sure we have all the necessary pre-requisites in place. You'll need a GitHub account to access the Terraform artifacts.
To get started with Azure, you'll need an Azure subscription, which you can sign up for on the Azure website. Additionally, you'll need an Azure AD Premium P1/P2 license to configure certain features like Conditional Access policy and MFA with conditional access.
You'll also need to install Azure CLI and Terraform on your machine, and authenticate with Azure using your credentials. It's also a good idea to set up an Azure RG, Storage account, and blob container if you plan to maintain your Terraform state files remotely.
Here's a list of the pre-requisites in a concise format:
- GitHub Account
- Microsoft Account
- Azure Subscription
- Azure AD Premium P1/P2 license
- Azure CLI installed and authenticated
- Terraform installed
- Azure RG, Storage account, and blob container setup (optional)
Make sure you have all these pre-requisites in place before moving on to the next step. You can also refer to the YouTube demo recording for a visual guide on how to set up these pre-requisites.
Prepare Provisioning Script
To prepare the provisioning script, you'll need to remove the `sudo` command from line 24 of the script. This is because the script will run as root anyway, and adding `sudo` would be unnecessary.
The script also requires a declaration of the `DEBIAN_FRONTEND=noninteractive` variable to prevent it from attempting unnecessary interactions in a headless environment.
You'll need to replace placeholders in the script with actual values, which can be generated using Terraform. The required placeholders include:
- Service Principal: application ID and password (lines 2 and 3)
- Subscription ID, Tenant ID (lines 6 and 8)
- Resource group and its region (lines 7 and 9)
- Correlation ID – a random GUID (line 11)
A fully populated onboarding script, ready for execution, can be generated using Terraform's `azurerm_resource_group` resource. This script will meet all the requirements outlined above.
The `azure_arc_region` variable should be set to a region close to the virtual machine's region, such as `canadacentral`, which is located in Toronto.
Onboard Digital Ocean Droplet
Onboarding a Digital Ocean Droplet is a crucial step in our setup process. To do this, we need to replace the "whoami" in our SSH provisioner with the reference to the onboarding script.
The onboarding script is stored in a local variable, which we obtained in Step 2. We'll need to update our Terraform configuration to use this script instead of "whoami".
Here's a step-by-step guide to onboarding your Digital Ocean Droplet:
1. Update your Terraform configuration to use the onboarding script.
2. Make sure to wait until the Microsoft.HybridCompute provider registration and Azure Connected Machine Onboarding role assignment are complete.
3. Use the `azurerm_role_assignment.this` and `azurerm_resource_provider_registration.this` resources to ensure a smooth onboarding process.
By following these steps, you'll be able to successfully onboard your Digital Ocean Droplet to Azure Arc.
Terraform Configuration
To maintain a well-organized and efficient infrastructure, break down your configuration into reusable modules for common components, promoting code reuse and simplifying complex deployments.
A consistent naming convention for resources and variables is essential, improving readability and understanding of your Terraform configuration. Define and apply tags to Azure resources using Terraform to categorize, organize, and track resources for cost allocation, monitoring, and management purposes.
Use Terraform Cloud, Spacelift, or an Azure storage account as the Terraform backend for centralized state storage to avoid conflicts when running deployments from multiple pipelines or workstations.
Here are some key considerations for Terraform configuration:
Configuration and Style
Configuration and style are crucial aspects of Terraform configuration. A well-structured and consistent configuration makes it easier to manage and maintain your infrastructure.
Breaking down your infrastructure into reusable modules for common components promotes code reuse and improves maintainability. This approach simplifies complex deployments and reduces the risk of errors.
Adopting a consistent naming convention for resources and variables improves the readability and understanding of your Terraform configuration. This helps you quickly identify and locate specific resources and variables.
Defining and applying tags to Azure resources using Terraform enables you to categorize, organize, and track resources for cost allocation, monitoring, and management purposes.
Centralized state storage is essential to avoid conflicts when running deployments from multiple pipelines or workstations. Consider using Terraform Cloud, Spacelift, or an Azure storage account as the Terraform backend for this purpose.
Tools like terraform fmt can be used to format your Terraform configuration consistently, while terraform validate can identify syntax errors before applying changes. This helps ensure that your configuration is correct and up-to-date.
Importing Users into Terraform
If you already have users in your Azure AD and want to manage them with Terraform, you can use a script to extract their details.
The script, located at scripts/azuread-import-users.py, can be run after logging into your Azure tenant with az login. It will extract a list of Display Names, Principal Names, and Departments associated with the current tenant.
This script runs an az ad query to capture user details and copies them to a tsv file. The file is then read by python and converted into Terraform syntax.
Once you have your list of users, you can follow the procedure to import them into Terraform, starting at step 8.
Resource Creation
To create resources in Azure, you'll need to start by creating an Azure resource group using the azurerm_resource_group block in your configuration file.
This block will specify the configuration for the resource group, which Terraform will then use to create it in your Azure subscription.
You can see the changes Terraform will make by running the command terraform plan, which will show you the creation of the resource group.
The AKS Cluster
To create an AKS cluster, you'll need to enable OIDC issuer and workload identity, which allows the cluster to properly issue tokens for workloads, such as your Pods.
This setup involves adding specific settings to your Terraform block, including enabling OIDC issuer and workload identity. Depending on your Terraform setup, you'll need to retrieve an output from your cluster, typically found in an outputs.tf file.
Once your cluster is up and running, you'll see the azure-wi-webhook in the kube-system namespace, which handles injecting tokens into your Pods.
You'll also need to create Managed Identities and permit them to be assumed within the cluster.
Create Resource Group
To create a resource group in Azure, you'll need to add a configuration for it to your configuration file using the azurerm_resource_group block. This is a crucial step in setting up your Azure resources.
The azurerm_resource_group block is where you'll specify the details of your resource group, such as its name and location. This information will be used to create the resource group in your Azure subscription.
Run the command terraform plan to see the changes Terraform will make. This will show you the creation of the resource group, so you can review the plan before proceeding.
If the plan looks good, run terraform apply to create the resource group in your Azure subscription.
Sources
- https://spacelift.io/blog/terraform-azure
- https://codeblog.dotsandbrackets.com/onboarding-custom-vm-to-azure-arc-with-terraform/
- https://jeffbrown.tech/terraform-workload-identity-azure-devops/
- https://surajblog.medium.com/workload-identity-in-aks-with-terraform-9d6866b2bfa2
- https://jksprattler.github.io/jennas-runbooks/Azure/azure-tf-ad-rbac.html
Featured Images: pexels.com