TL;DR:
Learn how to set up cost anomaly detection on AWS and Azure using Terraform, compare their features, and see which is best for your FinOps needs.

Introduction 🚀

Cost overruns can derail even the most well-planned cloud strategies. Fortunately, both AWS and Azure offer native capabilities for detecting cost anomalies. In this blog, I’ll show how each provider approaches this challenge, highlight their pros and cons, and share how I implemented Terraform configurations to create anomaly detection alerts for both.

🟧 AWS Cost Anomaly Detection

💡 Pro Tip:
AWS lets you set anomaly alert thresholds using absolute dollar values or percentage increases, making it easy to tailor alerts for your business needs.

How it works

AWS uses machine learning models to monitor usage patterns across services, accounts, and tags. It generates alerts via Amazon SNS when anomalies are detected.

Terraform Example

resource "aws_ce_anomaly_monitor" "example" {
  name              = "FinOps Anomaly"
  monitor_type      = "DIMENSIONAL"
  monitor_dimension = "SERVICE"
  tags              = local.tags
}

resource "aws_ce_anomaly_subscription" "example" {
  name      = "FinOps Anomaly Alert"
  frequency = "DAILY"
  monitor_arn_list = [
    aws_ce_anomaly_monitor.example.arn
  ]
  subscriber {
    type    = "EMAIL"
    address = "me@johnalfaro.com"
  }
  threshold_expression {
    dimension {
      key           = "ANOMALY_TOTAL_IMPACT_ABSOLUTE"
      match_options = ["GREATER_THAN_OR_EQUAL"]
      values        = ["100"]
    }
  }
  tags = local.tags
}

After a couple of days, you will start receiving emails with alerts like this one:

🟦 Azure Cost Anomaly Detection

ℹ️ Note:
Azure anomaly detection is easy to set up and integrates with Cost Management, but alerting and automation options are limited.

How it works

Azure Cost Anomaly Detection is built on Microsoft’s WaveNet forecasting models and analyzes daily cost usage trends against historical data (up to 60 days). It looks for unexpected spikes in costs for a subscription or a resource group by comparing forecasted vs actual usage.

Terraform Example

More info on setting up Azure Cost Anomaly Detection can be found in the Azure Terraform Provider documentation.

resource "azurerm_cost_anomaly_alert" "sub" {
  name               = "finopsanomaly"
  display_name       = "FinOps Anomaly Alert"
  subscription_id    = "/subscriptions/${data.azurerm_subscription.me.subscription_id}"
  email_subject      = "FinOps Alert - ${data.azurerm_subscription.me.display_name}"
  email_addresses    = ["me@johnalfaro.com"]
}

After a couple of days, you will start receiving emails with alerts like this one:

📊 Comparison Table

🚦 What Else Can You Do With the Alerts?

🟧 AWS

AWS Cost Anomaly Detection integrates natively with Amazon SNS, unlocking powerful automation and downstream workflows:

• Trigger Lambda functions: Automate cost mitigation (e.g., resource tagging, notification routing, stopping instances).
• Integrate with chat tools: Use AWS Chatbot or webhooks to notify Slack, Microsoft Teams, or Amazon Chime.
• Store alerts in S3: Archive structured alerts for audit and trend analysis.
• Route via EventBridge: Enable advanced rule-based routing and cross-service workflows.

This allows for fully automated cost guardrails beyond basic email notifications.

🟦 Azure

Azure’s anomaly alerting is more limited, but still offers options:

• Email notifications: Default mechanism for anomaly alerts.
• API polling workaround: Use Azure Functions or Logic Apps to query anomalies via the CostManagement/anomalyDetectionResults API and act on them.

ℹ️ At this time, Azure does not support direct integration of anomaly detection with Action Groups.

Summary 🎯

AWS offers more flexibility and precision in anomaly detection. Its integration with other AWS services like Lambda, Step Functions, EventBridge, and Chatbot enables more automation and cost guardrails beyond simple notifications, making it a better option for enterprise environments.

Azure, while easy to set up and integrated with Cost Management, is falling behind in practical usability. The lack of direct support for Action Groups, limited alerting mechanisms, and a tendency to produce unnecessary alerts makes the feature less actionable and noisy. As it stands, Azure’s anomaly detection alerts are not yet ideal for enterprise-grade operations in my opinion.

I hope Microsoft invests in improving this feature to make it more reliable and enterprise-ready—definitely something every FinOps team wants to have, but it’s not quite there yet.

Let me know what you think—are you using either provider’s detection service? Or maybe both? 😄

☕ Liked this content? You can sponsor my next deep dive below!

Hey there! Have you heard of Azure Open AI? It’s an awesome platform developed by Microsoft that helps businesses of all sizes and industries leverage the power of artificial intelligence (AI) to achieve their digital transformation goals. With Azure Open AI, organizations can automate tasks, gain insights, and make better decisions faster than ever before.

One of the coolest things about Azure Open AI is that it’s designed to be super flexible and scalable, making it a popular choice for enterprises looking to adapt quickly to changing market conditions. Plus, it includes advanced security features like encryption and access controls to help protect customer data and systems from cyber threats.

Here are some of the ways that security is managed for the service to be operational.

1. Encryption: Azure Open AI uses encryption to protect data both in transit and at rest. This helps prevent unauthorized access to sensitive data.
2. Access Controls: Azure Open AI includes a range of access controls to help prevent unauthorized access to customer data and systems. This includes role-based access controls, multi-factor authentication, and network security groups.
3. Threat Detection: Azure Open AI includes advanced threat detection capabilities that can help organizations detect and respond to potential security threats. This includes real-time threat monitoring, security alerts, and automated threat response.
4. Data Protection: Azure Open AI includes a range of data protection features, including backup and disaster recovery, to help ensure that customer data is protected in the event of a data loss or system failure.

The diagram below depicts the architecture to be deployed for the Azure Open AI Account. By the way, I chose East US as Chat GPT is currently in preview in that region.

One of the key features is that Azure Open AI supports Private Endpoints, which let you restrict access to your Azure Open AI services to only those resources within your virtual network that require access. This keeps your services safe and secure, while still allowing authorized resources to access what they need.

For that reason, I will be focusing on the deployment of Azure Open AI using the Terraform AzureRM provider and Terraform AzAPI provider to enable and manage this feature. I did not know this was already possible when I started exploring, so I have included both deployment methods. However, I did notice a significant difference in deployment time: the AzAPI provider was much faster than the AzureRM provider.

Azure Open AI Onboarding 🕵️‍♀️

To get started with Azure Open AI, follow these steps:

1. Have your Azure subscription ID ready to get onboarded.
2. Fill out the Request Access Form. It takes a couple of days to get a response.
3. If you are an Enterprise customer and want to ensure your data is not processed by Microsoft for abuse monitoring, you can opt out by filling out this form.
4. I already have my Terraform Cloud Org set up for my deployment. 😎
5. Deploy the Azure Open AI service via Terraform.
6. Deploy the model to be used via Terraform.

ℹ️ Data Privacy:
For important information regarding data privacy, please refer to the Azure OpenAI Data Privacy documentation.

Terraform Configuration Using AzAPI Provider 👨‍💻

When I first looked into deploying Azure Open AI with Terraform, I noticed the AzureRM provider did not have an OpenAI resource. So, my first attempt was with the AzAPI provider. The code I used is below. (I have more AzAPI examples in earlier articles if you’re interested.)

Azure Open AI Account Example:

# Resource Group for Cognitive Services
resource "azurerm_resource_group" "openai" {
  name     = "cerocool-ai-rg"
  location = "eastus"
}

# Azure Open AI Account
resource "azapi_resource" "openai_account" {
  type      = "Microsoft.CognitiveServices/accounts@2022-12-01"
  name      = "cerocoolai-azapi"
  parent_id = resource.azurerm_resource_group.openai.id
  location  = "eastus"
  body = jsonencode({
    sku = {
      name = "S0"
    }
    kind = "OpenAI"
    properties = {
      publicNetworkAccess = "Disabled"
      customSubDomainName = "ceroazapi"
    }
  })
}

# Azure Open AI Model - Chat GPT
resource "azapi_resource" "chatgpt_model_azapi" {
  type      = "Microsoft.CognitiveServices/accounts/deployments@2022-12-01"
  name      = "cero_chatgpt_model"
  parent_id = resource.azapi_resource.openai_account.id
  body = jsonencode({
    properties = {
      model = {
        format  = "OpenAI",
        name    = "gpt-35-turbo"
        version = "0301"
      }
      scaleSettings = {
        scaleType = "Standard"
      }
    }
  })
}

Terraform Configuration using AzureRM Provider 👷

After digging a bit more I realise you can use Cognitive Services resource to deploy the resource😎.

### Resource Group for Cognitive Services
resource "azurerm_resource_group" "openai" {
  name     = "cerocool-ai-rg"
  location = "eastus"
}

### Azure Open AI Account
resource "azurerm_cognitive_account" "openai" {
  name                          = "cerocoolai-azurerm"
  location                      = "eastus"
  resource_group_name           = azurerm_resource_group.openai.name
  kind                          = "OpenAI"
  custom_subdomain_name         = "ceroaiazurerm"
  sku_name                      = "S0"
  public_network_access_enabled = false
  identity {
    type = "SystemAssigned"
  }

  tags = {
    Acceptance = "Test"
  }
}

### Azure Open AI Model - Chat GPT
resource "azurerm_cognitive_deployment" "chatgpt_model_azurerm" {
  name                 = "cero_chatgpt_model"
  cognitive_account_id = resource.azurerm_cognitive_account.openai.id
  model {
    format  = "OpenAI"
    name    = "gpt-35-turbo"
    version = "0301"
  }

  scale {
    type = "Standard"
  }
}

The resources created will look like below. However, what it really took my attention was the time of the deployment using AzAPI vs AzureRM provider. In this instance, the service took 16 mins to be deployed via AzAPI and 23 mins via AzureRM 🤔. Definitely, something I want to understand more as 7 mins difference seems quite a bit.

Private Endpoint for Open AI Resource 📝

To create the private endpoint for the resource you can use the snippet below. You will of course require having the openai.azure.com private DNS zone created for OpenAI. The service actually will let you know as soon as you remove the public access on the Open AI Studio.

resource "azurerm_private_endpoint" "name" {
  name                = "openai-pe"
  location            = "westeurope"
  resource_group_name = azurerm_resource_group.openai.name
  subnet_id           = data.azurerm_subnet.privatelink.id

  private_service_connection {
    name                           = "privateendpoint-1"
    private_connection_resource_id = azurerm_cognitive_account.openai.id
    is_manual_connection           = false
    subresource_names              = ["account"]
  }
}

resource "azurerm_private_dns_a_record" "openai" {
  name                = "cerocoolai-azurerm"
  zone_name           = "privatelink.openai.azure.com"
  resource_group_name = azurerm_resource_group.openai.name
  ttl                 = 300
  records             = [azurerm_private_endpoint.openai.private_service_connection[0].private_ip_address]
}

Summary 📻

In this blog post, we explored the Azure Open AI deployment process using terraform and highlighted some of the powerful capabilities that enterprises can leverage, such as Private Endpoint for enhanced security. We also discussed our surprise at the slow deployment times using AzureRM compared to AzAPI, though it’s worth noting that your experience may vary. What’s next? Last but not least if you want to be part of the Azure OpenAI GPT-4 Public Preview Waitlist please check here.

I do hope this helps someone and that you find it informative,, so please let me know your constructive feedback as it’s always important🕵️‍♂️,, That’s it for now,,, Hasta la vista🐱‍🏍!!!

🚴‍♂️ If you enjoyed this blog, you can empower me with some caffeine to continue working in new content 🚴‍♂️.

Azure NetApp Files data protection is extending to not just snapshots but it will be able to create volume backups based on volume snapshots, so I decided to test this preview feature to understand how the backup capability will enhance the data protection posture for ANF. Currently, Backups are a preview feature and it is not enabled yet on the Terraform AzureRM provider. For that reason, I decided to use the Terraform AzAPI provider to enable and manage this feature.

Azure NetApp Files backup provides fully managed backup solution for long-term recovery, archive, and compliance.

• Backups created by the service are stored in Azure Storage independent of volume snapshots. IT can be Zone-Redundant Storage (ZRS) where Availability Zones are available or Local Redundant Storage (LRS) where there are no Availability Zones support.
• Backups taken by the service can be restored to new ANF volume within the region.
• Azure NetApp Files backup supports both policy-based (scheduled) backups and manual (on-demand) backups. I will be focusing on policy-based as we all like consistency.(●’◡’●)

For more information regarding this capability go to ANF Backup documentation.

The diagram below depicts the architecture to be deployed for Azure NetApp Files Account.

Azure NetApp Files Backup Preview enablement 🕵️‍♀️

To enable the preview feature for Azure NetApp Files, you need to enable the preview feature. However, this feature needs to be requested via Public Preview request form. When the feature is enabled this will appear as registered.

Get-AzProviderFeature -ProviderNamespace "Microsoft.NetApp" -ListAvailable

Note The pending status means that the feature needs to be enabled by Microsoft and NetApp before it can be used.

Bonus: In case you manage providers and its features using Terraform 😞…I did try to enable this feature using terraform but it failed with the below message, which is understandable as it is an opt in feature.

 resource "azurerm_resource_provider_registration" "anf" {
   name     = "Microsoft.NetApp"
   feature {
     name       = "ANFSDNAppliance"
     registered = true
   }
   feature {
     name       = "ANFChownMode"
     registered = true
   }
   feature {
     name       = "ANFUnixPermissions"
     registered = true
   }
   feature {
     name = "ANFBackupPreview"
     registered = true
    }
 }

Terraform Configuration 👨‍💻

I am deploying ANF using a Module with the AzureRM provider and configuring the backup preview feature using the AzAPI provider as this is an additional configuration to my last [AzApi intro article.][azpiarticle]

ANF Repo
        |_Modules
            |_ANF_Pool
        |       |_ main.tf
        |       |_ variables.tf
        |       |_ outputs.tf
        |   |_ ANF_Volume
        |       |_ main.tf
        |       |_ variables.tf
        |       |_ outputs.tf        
        |_ main.tf
        |_ providers.tf
        |_ variables.tf
        |_ outputs.tf

Enabling Azure NetApp Files Backups 👷

To configure ANF poicy-based backups for a volume there are some requirements. For more info about them please check Azure NetApp Files Backup Requirements.

• Snapshot policy must be configured and enabled.
• There are some regions with this feature enabled.. So Australia East is one of them for my test.🦸‍♂️

resource "azurerm_netapp_account" "analytics" {
  name                = "cero-netappaccount"
  location            = data.azurerm_resource_group.one.location
  resource_group_name = data.azurerm_resource_group.one.name
}

module "analytics_pools" {
  source   = "./modules/anf_pool"

  for_each = local.pools

  account_name        = azurerm_netapp_account.analytics.name
  resource_group_name = azurerm_netapp_account.analytics.resource_group_name
  location            = azurerm_netapp_account.analytics.location
  volumes             = each.value
  tags                = var.tags
}

After this deployment, you will be able to see the backup icon as part of the ANF account as below.

Backup Policy creation 📝

After testing for some time I realise the creation of the backup policy is the same as the snapshot policy, it has its own terraform resource as I was getting confused as in the portal it looks like it is part of the ANF account itself. At the end, I use the azapi_resource resource with the latest API version and the code looks like this:

• The parent id is the id of the ANF account.

  resource "azapi_resource" "backup_policy" {
  type      = "Microsoft.NetApp/netAppAccounts/backupPolicies@2022-01-01"
  parent_id = azurerm_netapp_account.analytics.id
  name      = "dailybackup"
  location  = "australiaeast"
  
  body = jsonencode({
    properties = {
      enabled              = true
      dailyBackupsToKeep   = 1
      weeklyBackupsToKeep  = 0
      monthlyBackupsToKeep = 0
    }
  })
  }
  

  Because I am deploying this in Australia East, where there is Availability Zones support. The Azure Blob will use Zone Redundant Storage (ZRS). However, I could not find anything that will provide me that information. What I did saw is that it seems to be using NetApp Cloud Backup service as the vault is not and Azure Backup Vault and the naming has cbs prefix🕵️♂️ and best of all it feels like CBS. In the Azure Portal (under the volume )it will look like:

Note Currently ANF backups supports backing up the daily, weekly, and monthly local snapshots created by the associated snapshot policy to the Azure storage. I hope that we can see a more granular backup policy in the future.

The first snapshot when the backup feature is enabled is called a baseline snapshot, and its name includes the prefix snapmirror.

Assigning Backup Policy to an ANF Volume 📝

The next step in the process is to assign the backup policy to an ANF volume. Again, as this is not supported yet by the AzureRM provider I use the azapi_update_resource similarly to my last article. In this case, the configuration code looks like below where the data protection block is added to the volume configuration.

resource "azapi_update_resource" "vol_backup" {
  type        = "Microsoft.NetApp/netAppAccounts/capacityPools/volumes@2021-10-01"
  resource_id = module.analytics_pools["pool1"].volumes.volume1.volume.id
  body = jsonencode({
    properties = {
      dataProtection = {
        backup = {
          backupEnabled  = true
          backupPolicyId = azapi_resource.backup_policy.id
          policyEnforced = true
        }
      }
      unixPermissions = "0740",
      exportPolicy = {
        rules = [{
          ruleIndex = 1,
          chownMode = "unRestricted" }
        ]
      }
    }

  })
}

The data protection policy will look like the screenshot below… So our Volume is fully protected within the region.

Something I found odd was that even though the backup policy was already “enabled” when I tried to create my first manual backup it failed, as below indicating it was not honouring accordingly the policy. The solution I found was to disable/re-enable the policy and manual backups started working. I guess is something I will be taking to provide feedback as it is still in preview😶‍🌫️.

Summary 📻

I can see more adoption using these features more and more in ANF as it was missing to have a more complete Data Protection capability. In regards to the AzAPI provider, once again came to the rescue with its flexibility to provide preview features support for Azure resources. Again, I am keen to see how the AzAPI2AzureRM migration tool will work in this case when the features are added to the AzureRM provider and see how seamless the experience is. I will be looking into how I can create volumes from a backup and whether there is capability to create manual backups, similar to manual snapshots, using Terraform.

I hope this helps someone and that you find it informative. Please let me know your constructive feedback, as it’s always important. 🕵️‍♂️ That’s it for now—Hasta la vista! 🐱‍🏍

🚴‍♂️ If you enjoyed this blog, you can empower me with some caffeine to continue working on new content. 🚴‍♂️

I was working on a project using Azure NetApp Files, aiming to test some preview features to understand how they can improve capabilities and user experience. The infrastructure was provisioned using Terraform. However, those preview features are not yet enabled in the Terraform AzureRM provider. Previously, the workaround was to use ARM templates wrapped with azurerm_template_deployment to make it Terraform-native, which was not ideal.

Thanks to community feedback and Microsoft’s investment, the provider has improved to release new features and enable private preview ones at a faster cadence. Still, some projects need to enable features as soon as they are released, which is usually possible natively with ARM templates or Bicep.

Microsoft recently released the Terraform AzAPI provider, which helps break that barrier in the IaC development process and enables us to deploy features not yet released in the AzureRM provider. The definition is clear, as taken from the provider GitHub page:

The AzAPI provider is a very thin layer on top of the Azure ARM REST APIs. Use this new provider to authenticate to and manage Azure resources and functionality using the Azure Resource Manager APIs directly.

After playing with the provider, it felt similar to working with Bicep, and I was able to deploy the preview features using the AzAPI provider successfully. 👌

Note:
The diagram below depicts the architecture to deploy for the test.

Azure NetApp Files Preview Features 🕵️‍♀️

There are two new features in Azure NetApp Files that are not yet released in the AzureRM provider. These features are related to the NFS Volume or dual-protocol volumes with the Unix security style, providing more flexibility and control over access to the NFS volumes:

• Unix Permissions: Allows you to specify change permissions for the mount path. The setting does not apply to files under the mount path. By default, permissions are set to 0770, meaning read, write, and execute for owner and group only.
• Change of Ownership (Chown mode): Enables you to set the ownership management capabilities of files and directories.

Note:
The Unix permissions you specify apply only to the volume mount point (root directory).
You can modify the Unix permissions on the source volume but not on the destination volume in a cross-region replication configuration.

Azure NetApp Files Resource Provider Configuration

To test these new capabilities, you need to enable the features. Depending on how you manage Resource Providers, you can enable these features by adding the following to the azurerm_resource_provider_registration resource:

Note:
This can take ~15 minutes to complete. De-registering the resource provider can take longer than 30 minutes.

resource "azurerm_resource_provider_registration" "anf" {
  name = "Microsoft.NetApp"
  feature {
    name       = "ANFChownMode"
    registered = true
  }
  feature {
    name       = "ANFUnixPermissions"
    registered = true
  }
}

Important:
Adding or removing preview features will re-register the Resource Provider if managed by Terraform. In addition, you cannot modify a resource provider that is not managed by Terraform as expected.

Terraform Configuration 👨‍💻

I am deploying ANF using a module with the AzureRM provider and configuring the preview features using the AzAPI provider.

ANF Repo
    |_Modules
        |_ANF_Pool
            |_ main.tf
            |_ variables.tf
            |_ outputs.tf
        |_ ANF_Volume
            |_ main.tf
            |_ variables.tf
            |_ outputs.tf        
    |_ main.tf
    |_ providers.tf
    |_ variables.tf
    |_ outputs.tf

Terraform AzAPI and AzureRM Providers

I have declared the providers configuration as below:

provider "azurerm" {
  skip_provider_registration = true
  features {}
}

provider "azapi" {
}

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.00"
    }
    azapi = {
      source = "azure/azapi"
    }
  }
}

Deploying the Azure NetApp Files 👷

I will deploy my ANF structure using the following resources:

• ANF Account
• Capacity Pool
• Volume
• Export policy containing one or more export rules that process each client access request

resource "azurerm_netapp_account" "analytics" {
  name                = "cero-netappaccount"
  location            = data.azurerm_resource_group.one.location
  resource_group_name = data.azurerm_resource_group.one.name
}

module "analytics_pools" {
  source   = "./modules/anf_pool"
  for_each = local.pools

  account_name        = azurerm_netapp_account.analytics.name
  resource_group_name = azurerm_netapp_account.analytics.resource_group_name
  location            = azurerm_netapp_account.analytics.location
  volumes             = each.value
  tags                = var.tags
}

Important:
To create Azure NetApp Files, you need to request access to the region in which you are deploying via a support ticket.

AzAPI Update Resource Configuration

Given I already deployed my ANF Account, I use azapi_update_resource to manage the properties I need from the existing ANF resource properties. It uses the same authentication methods as the AzureRM provider.

• Make sure you install the Terraform AzAPI provider extension in VS Code, as it will make life easier with IntelliSense completion.

resource "azapi_update_resource" "vol_update" {
  type        = "Microsoft.NetApp/netAppAccounts/capacityPools/volumes@2021-10-01"
  resource_id = module.analytics_pools["pool1"].volumes.volume1.volume.id
  body = jsonencode({
    properties = {
      unixPermissions = "0740",
      exportPolicy = {
        rules = [{
          RuleIndex = 1,
          chownMode = "unRestricted"
        }]
      }
    }
  })
}

AzAPI to AzureRM Migration

I tried to see how this tool would work. However, as shown below, those settings are still not available in the AzureRM provider. I will have to wait to test this with ANF when those features are available in the AzureRM provider. More info about this tool [here][az2rm].

Summary 📻

The AzAPI provider definitely allows us to manage Azure resources and functionality using the Azure ARM REST APIs directly, without having to make complex deployments to leverage Terraform. It gives us the flexibility to manage zero-day feature support for Azure resources.

This is a great example of how to leverage the AzAPI provider to manage Azure resources and increase agility by being able to test new features easily if you are invested in Terraform. Azure NetApp Files keeps improving and adding new features, making it an excellent choice for your data management needs. I am excited to see how this will be used in the future.

I did find a bug in the Azure Portal UI when changing the chownMode property from restricted to unRestricted. This property was not changed in the UI, but it was in the Azure API. The other way around (unRestricted to restricted) works fine.

I am eager to see how the AzAPI2AzureRM migration tool will work when these features are added to the AzureRM provider and how seamless the experience will be.

I hope this helps someone and that you find it informative. Please let me know your constructive feedback, as it’s always important. 🕵️‍♂️ That’s it for now—Hasta la vista! 🐱‍🏍

🚴‍♂️ If you enjoyed this blog, you can empower me with some caffeine to continue working on new content. 🚴‍♂️

I recently started working with GCP, and as with most public cloud platforms, the first challenge is identity management. GCP allows federation from multiple sources, and if you have a Microsoft stack like Active Directory, you have some great options. In my case, I wanted to test scenarios where identities already exist in Azure AD and leverage its enterprise-level features to establish trust with Google Cloud Identity. This allows us to do the following with minimal effort:

1. Provision users, groups, and group memberships:
   The connector allows you to provision users and groups that are already in Azure AD to Google Cloud Identity.
2. Single Sign-On (SSO):
   Google Cloud delegates authentication to Azure AD using SAML.
3. Conditional Access Policies
4. Multifactor Authentication

Note:
Unfortunately, there is a limitation: Microsoft currently does not allow syncing nested groups through Enterprise Applications. Most enterprises use nested groups, but you cannot sync them through the connector.

The diagram below depicts the flow process for provisioning and Single Sign-On. I used one Enterprise Application for both provisioning and SSO.

Google Requirements

You need to create a user account in the GCP Admin Console. For my PoC, it is ceroprov@johnalfaro.com, and it needs super-admin permissions. This account will authorize the creation of groups and users on the GCP side.

Azure AD Requirements

There are a few settings to configure in Azure AD to enable the Enterprise Application for both user provisioning and SSO. Ensure you have the correct permissions. The following roles (from highest to lowest) can perform these tasks: Global Administrator, Cloud Application Administrator, or Application Administrator.

1. Create the Google Cloud Connector Enterprise Application:
   Search for Google Cloud and select Google Cloud/G Suite Connector by Microsoft. Configure the following:
   • Set Enabled for users to sign-in to Yes.
   • Set User assignment required to Yes.
   • Set Visible to users to No.
2. Provisioning Settings:
   • Set Provisioning Mode to Automatic.
   • Set Admin Credentials and then Authorize.
     Use the ceroprov@johnalfaro.com account to authorize the application. Allowing this confirms access to the GCP Cloud Identity API.
3. Test the connection to ensure you can authenticate to the API.

Important:
Always keep security in mind and use credentials with the least privileged access.

Configure User/Group Provisioning

In Azure AD, configure the mapping of users and groups to the GCP Cloud Identity API.

User Provisioning

I used the UPN to configure user mapping. This is the unique identifier in Azure AD. The GCP documentation provides details on mapping.

1. Under attribute mapping, select the row surname and set Default value if null to _.
2. Under attribute mapping, select the row givenName and set Default value if null to _.

Group Provisioning

I used the Name to configure group mapping. The GCP documentation recommends editing the mail attribute in attribute mappings, changing the mapping type to Expression, and setting the expression as below. Replace johnalfaro.com with your registered domain.

I also set Sync only assigned users and groups to avoid syncing all users and groups, which is recommended for any organization.

Join("@", NormalizeDiacritics(StripSpaces([displayName])), "johnalfaro.com")

User and Group Syncing

Now it’s time to test the connector. Add relevant users and groups you want to sync to GCP under Manage > Users and Groups. You have two options to sync:

1. Provision on demand:
   This manual process is useful for testing, troubleshooting, and validating attribute mapping expressions.
2. Automatic Provisioning:
   This is the recommended option. It provisions users and groups in the GCP Cloud Identity API. There is an initial provisioning cycle, followed by incremental cycles every 40 minutes.

Monitoring

You can monitor the provisioning process out-of-the-box. The logs provide details about all operations run by the user provisioning service, including provisioning status for individual users and groups.

Single Sign-On Configuration

I followed the GCP documentation to set up SSO. The configuration is as follows:

1. Edit the Basic SAML Configuration with:
   • Identifier (Entity ID): google.com
   • Reply URL: https://www.google.com/
   • Sign on URL: https://www.google.com/a/johnalfaro/ServiceLogin?continue=https://console.cloud.google.com/ (replace johnalfaro with your domain name)
2. Download the Certificate (Base64) from the SAML Signing Certificate.
3. In Attributes & Claims, select user.userprincipalname as the Unique identifier.
4. In the GCP Admin Console, log in as a Super-admin and navigate to Security > Authentication > SSO with third-party IdP then Add SSO profile. Enable Setup SSO with third party identity provider and configure:
   • Sign-in page URL: Copy from the Set up Google Cloud card in the Google Enterprise Application SSO Configuration.
   • Sign-out page URL: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
   • Change password URL: https://account.activedirectory.windowsazure.com/changepassword.aspx (depends on SSPR usage)
   • Upload the certificate in the verification certificate field.

The Test-Drive 🦸‍♂️

After setup, I tested the connector by adding users and groups to sync to GCP and logging in to the GCP Console. This redirected me to Azure AD for sign-in, and after successful authentication, I was redirected to the GCP Console.

Summary

The Google documentation was easy to follow, and the setup was straightforward in a demo environment. I did encounter some issues with provisioning, such as occasional quarantining during automatic provisioning (with email notifications). At the enterprise level, I would prefer to provision users and groups in GCP using the API to ensure effective syncing, especially since nested groups are not supported by Azure AD provisioning.

I also enjoyed writing this in markdown and using GitHub Copilot to help draft the blog, which reduced typos. 👨‍💻

I hope this helps someone and that you find it informative. Please let me know your constructive feedback, as it’s always important. 🕵️‍♂️ That’s it for now—Hasta la vista! 🐱‍🏍

🚴‍♂️ If you enjoyed this blog, you can empower me with some caffeine to continue working on new content. 🚴‍♂️

In my last article I was working with a CI/CD pipeline using Azure Pipelines. This time I wanted to use the same approach but using GitHub Actions which lately is the new trend and also it is known that Microsoft is investing a bit more around this product. I must say I was impressed on how fast I was a able to test it out.

I wanted to Test-Drive this model by using the Terraform Cloud CLI-driven Run Workflow instead of the API-driven Run Workflow for a change. Also, I have introduced some Static Code analysis using Checkov. Checkov is a static code analysis tool for scanning infrastructure as code (IaC) files for misconfigurations that may lead to security or compliance problems, so I was able to plug that in into my workflow as it has a Github Action too.

Environment preparation

What do I need to get started?

Terraform Cloud

You need a Terraform Cloud Instance Free plan up to 5 users and you can leverage the Private Module registry and Remote State Storage.

1. Create a workspace using the CLI workflow and assign the required variables to authenticate to the Azure Platform

2. Generate a token that will be used by GitHub to authenticate to TFC and trigger the workspace for the Infrastructure as Code to be deployed

GitHub Repository

Create a new Github Repo.

1. Go to your GitHub profile then settings then developer settings then personal access tokens
   • Generate a GitHub token. This is to be used for commenting the PR’s for review
2. Go to Settings then Secrets
   • Create a new secret named TFC_TOKEN and paste the TFC token value generated.
   • Create a secret called AZURE_CREDENTIALS. This is for the Web App deployment. Make sure you set the JSON format properly as you may get some errors. It should look like this.

     {
         "clientId": "<GUID>",
         "clientSecret": "<GUID>",
         "subscriptionId": "<GUID>",
         "tenantId": "<GUID>",
     }
     

🤜Looks like we got everything required regarding Authentication & Authorization🤛

Important Always keep security in mind and use credentials with less privileged access.

My repo is organized like this to make simple

Web App Repo
        |
        |_.github\workflows
        |       |_terraform.yml
        |        
        |_Terraform
        |       |_ main.tf
        |       |_ variables.tf
        |       |_ outputs.tf
        |       |_ backend.tf
        |       |_ provider.tf
        |        
        |_ src
            |_ Application Source Code

Deployment Process

I have created a workflow with three GitHub Actions which actually were already available for its consumptionn in the GitHub Actions Marketplace one for the infrastructure Deployment, one for Static Code Analysis and one for the Web App code deployment. A difference to my article using AZDO, this time I am creating a Pull Request to do some validation in my terraform files prior applying the configuration.

1. After code has been committed a Pull Request will be created, consequently a validation process will kick off. All results will be directly available in the Pull Request instead of opening the GitHub Action or the Terraform Cloud workspace. However, on the time I played with I could not get Checkov’s output to be advertised in the PR comments. I think if using the commands directly and installing the binary it will be more flexible ಥ_ಥ.
   • Terraform format: checks whether the configuration has been properly formatted
   • Terraform Validate: validates the configuration used in the GitHub action workflow.
   • Terraform plan: generates a Terraform plan in the Terraform Cloud workspace
   • Static Security Code Analysis: Potential compliance/misconfiguration

Static Security Code Analysis with Checkov

Interestingly enough, and after a few rounds I had to set this variable soft_fail: true as it does not seem to be a way to select the policies that are important for your environment OOB. However, I found there are more policies for compliance than tfsec for my specific case. The policies as you can see below are good. However, some of them could potentially be false positives and/or not required depending on your environment. Still this is great tool and I think I will be exploring deeper into this project.

    - name: Run Checkov action
      id: checkov
      uses: bridgecrewio/checkov-action@master
      with:
        directory: terraform/
        soft_fail: true

1. When merging the PR, it will trigger the deployment of the Infrastructure and the Web App deployment (I know I didn’t do any validation on the web app code ☜(ﾟヮﾟ☜))… and the final result is a deployed Web App in about ~10 mins.

GitHub Workflow

The GitHub workflow in this case is distributed in one job with different multiple steps that will run based on the branch and github event.

Infrastructure as Code Deployment Stage

jobs
  terraform:
    name: 'Terraform'
    runs-on: ubuntu-latest

    # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
    defaults:
      run:
        shell: bash
        working-directory: terraform

    steps:
    # Checkout the repository to the GitHub Actions runner
    - name: Checkout
      uses: actions/checkout@v2

    # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
    - name: Setup Terraform
      uses: hashicorp/setup-terraform@v1
      with:
        cli_config_credentials_token: $

    # Checks that all Terraform configuration files adhere to a canonical format
    - name: Terraform Format
      id: fmt
      run: terraform fmt -check

    # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
    - name: Terraform Init
      id: init
      run: terraform init

    - name: Terraform Validate
      id: validate
      run: terraform validate -no-color

    # Generates an execution plan for Terraform
    - name: Terraform Plan
      id: plan
      if: github.event_name == 'pull_request'
      run: terraform plan -no-color
      continue-on-error: true

    - uses: actions/github-script@v4.1.0
      if: github.event_name == 'pull_request'
      env:
          PLAN: "terraform\n$"
      with:
          github-token: $
          script: |
            const output = `#### Terraform Format and Style 🖌\`$\`
            #### Terraform Initialization ⚙️\`$\`
            #### Terraform Validation 🤖\`$\`
            #### Terraform Plan 📖\`$\`
            #### Static Security Analysis 🕵️‍♀️\`$\`
            
            <details><summary>Show Plan</summary>

            \`\`\`\n
            ${process.env.PLAN}
            \`\`\`

            </details>

            *Pusher: @$, Action: \`$\`*`;
           
            github.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: output
            })

    - name: Terraform Plan Status
      if: steps.plan.outcome == 'failure'
      run: exit 1

      # On push to main, build or change infrastructure according to Terraform configuration files
      # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
    - name: Terraform Apply
      if: github.ref == 'refs/heads/main' && github.event_name == 'push'
      run: terraform apply -auto-approve   

Infrastructure as Code deployment in Action

The below is a quick demo of the Github Actions and Terraform Cloud interaction triggered via CLI to successfully deploy the Infrastructure required with minimum effort

Web App Deployment

The below describes the steps required to build and deploy the code in the Azure Web App, This is basd on the github action OOB.

    - uses: azure/login@v1
      if: github.ref == 'refs/heads/main' && github.event_name == 'push'
      with:
        creds: $
          
    - name: Setup Node $
      uses: actions/setup-node@v1
      if: github.ref == 'refs/heads/main' && github.event_name == 'push'
      with:
        node-version: $
      
    - name: 'npm install, build, and test'
      if: github.ref == 'refs/heads/main' && github.event_name == 'push'
      run: |
          npm install
          npm run build
                
      # deploy web app using Azure credentials
    - uses: azure/webapps-deploy@v2
      if: github.ref == 'refs/heads/main' && github.event_name == 'push'
      with:
        app-name: $
        package: $

      # Azure logout 
    - name: logout
      if: github.ref == 'refs/heads/main' && github.event_name == 'push'
      run: |
          az logout

Summary

🤔My idea in this article was to share my first experience with GitHub Actions “translating” what I had for Azure DevOps and see the similarities and new opportunities that it may open. I really like that I was able to do all of this with not much effort, as there are many actions available in the Github Actions marketplace. I can see many new projects are invested in GitHub Actions to provide their product integrations. I also liked the speed to get GitHub runner compared to a Microsoft Hosted agent in AZDO

In regards to Checkov, I would love to have more flexibility on the policies as it may be hard to get one size to fit all. Still I have to dig a bit more but it can definitely a good tool to use for static code analysis. Terraform Sentinel can help with this, you still have to author all the policies and that could be tedious, especially if golang is not your cup of tea ☕. However, you have the flexibility. Checkov is Python based which for me can be easier to digest 👨‍💻,, so what is your preference??

Overall the experience was great with some small challenges but the documentation is good to get your head around it. Especially with the action gives you quite a good percentage of the heavy lifting 🦸‍♂️

I do hope this helps someone and that you find it informative,, so please let me know as constructive feedback is always important🕵️‍♂️,, That’s it for now,,, Hasta la vista🐱‍🏍!!!

🚴‍♂️ If you enjoyed this blog, you can empower me with some caffeine to continue working in new content 🚴‍♂️.

I have been working with Terraform Cloud/Enterprise using the Version Control System VCS which is good but to my opinion does not provide enough flexibility when you want to have a proper Continuous Deployment flow where you are not just deploying Infrastructure, but you are covering the cycle from Continuous Integration and ending with a Release of verified artefacts/packages or even container images. Continuous Deployment guarantee that qualified releases are automatically deployed to Production.

So I wanted to Test-Drive this model by using the Terraform Cloud API-driven Run Workflow by not associating a workspace to a VCS repo, instead using Azure DevOps Pipeline to decide when a configuration should be changed and when runs should occur.

Environment preparation

What do I need to get started?

1. Azure DevOps Project, you can use the Free Tier.
2. Terraform Cloud Instance Free plan up to 5 users and you can leverage the Private Module registry and Remote State Storage.
3. Some code to deploy to the Web App, here I am deploying a Gatsby Site that can be found on the Microsoft learn modules.

My repo is organized like this to make simple

Web App Repo
        |_Terraform
        |       |_ main.tf
        |       |_ variables.tf
        |       |_ outputs.tf
        |       |_ backend.tf
        |       |_ provider.tf
        |        
        |_ src
        |    |_ Application Source Code
        |
        |_TFC.ps1

Deployment Process

I have created a pipeline with three stages as per diagram.

1. Builds the application source code to be deployed on the Web App and deploys the infrastructure by triggering a Terraform Cloud Workspace using the API
2. Deploy the artifact coming from the build to the Web App Staging slot if successful, there will be a pre-deployment approval that will be required before it goes to Production. Providing a timeout of 24hrs before it expires.
3. If approval given after validating the app changes in the staging slot. It will be executing the Slot Swap with the Production slot

Just in case The staging slot will now have the previous production app.

Azure DevOps Pipeline

I have setup the pipeline steps as below in order to demo the deployment. For the first step, I am triggering a PowerShell Script that will trigger the deployment on my Terraform Cloud Workspace in this case. I was using the built-in PowerShell task. However, it was using PowerShell v5.1 and not PowerShell v7, hence I used the PowerShell v2 task and explicitly declared to use PowerShell Core by using the Boolean true. Additionally, I stored the API token generated in Terraform Cloud as a secret value variable for the interaction with my workspace

Infrastructure as Code Deployment Stage

- stage: IaC
  displayName: Infrastructure Deployment
  jobs:
  - job: Build
    steps:
      - task: PowerShell@2
        displayName: 'IaC TFC/TFE'
        inputs:
          filePath: '$(System.DefaultWorkingDirectory)\TFC.ps1'
          arguments: >
            -Org  "$(org)"
            -Server "$(server)" 
            -tf_token "$(tfc_token)"
            -workspace_name "$(tfc_workspace)"
          pwsh: true
          workingDirectory: '$(System.DefaultWorkingDirectory)'```

The below is the PowerShell Script that interacts with the Terraform Cloud API to carry on the taks on my workspace (already created by another TFC workspace 🐱‍👤). The script is the very least you will need to make the right calls and deploy successfully the infrastructure is the Terraform Plan is successful. However, it will require refinenment to be more productionalized e.g. Logging and more error handling due to the multiple responses from Terraform Cloud.

The Script goes through the following process:

1. Create a configuration to upload: this needs to be on a .tar.gz file
2. Parse the Terraform Workspace ID: where the config is to be uploaded, planned and applied to the Cloud platform in this case Azure. The workspace already has the variables required to authenticate via AzureRM Provider
3. Create Configuration Version: this configuration-version is created to associate uploaded content with the workspace. This API call performs two tasks: it creates the new configuration version and it extracts the upload URL to be used in the next step.
4. Upload Config: it will upload the config and provided I have setup the auto-queue-runs = true it will start a run with a plan
5. Terraform Plan: it will run the plan and go through a logic to get to the next step. If plan is successful, the plan output will print out and will trigger an Apply Run. In case there are no changes to be made then it will not execute an Apply and the task in Azure DevOps will be successful to continue with the Code build task. The plan status will be checked.
6. Terraform Apply: it will apply the configuration changes and save the state file in Terraform Cloud workspace. The Apply status will be checked and after the apply run is finished it will print out the explicit outputs created on screen from the outputs.tf.

[cmdletBinding()]
Param(
    [Parameter(Mandatory = $true)]
    [string] $Org,
    [Parameter(Mandatory = $true)]
    [string] $Server,
    [Parameter(Mandatory = $true)]
    [string] $TF_TOKEN,
    [Parameter(Mandatory = $true)]
    [string] $WORKSPACE_NAME
)

#Configuration files to upload as .tar.gz. This is required as we are not fetching files from version control directly to the workspace
$UPLOAD_FILE_NAME = "content-$((get-date).ToString("yyyyMMdd")).tar.gz"
cd Terraform
tar -cvzf $UPLOAD_FILE_NAME .\*.tf 

$headers = @{
    Authorization = "Bearer $TF_TOKEN"
}

$body = @"
            {
                "data": {
                    "type": "configuration-versions",
                    "attributes": {
                      "auto-queue-runs": true
                        }
                  }
            }
"@

$apply_on = @"
              {
            "comment": "apply via  CeRoCooL API"
              }
"@

#parsing Workspace ID
$WORKSPACE_ID = (Invoke-RestMethod  -Uri "https://$Server/api/v2/organizations/$Org/workspaces/$WORKSPACE_NAME" -Method Get -ContentType "application/vnd.api+json" -Headers $headers).data.id

#Create configuration Version
$UPLOAD_URL = (Invoke-RestMethod  -Uri "https://$Server/api/v2/workspaces/$WORKSPACE_ID/configuration-versions" -Method POST -ContentType "application/vnd.api+json" -Headers $headers -Body $body).data.attributes."upload-url"

#Upload Configuration File
$UPLOAD_FILE = Invoke-RestMethod  -Uri $UPLOAD_URL -Method Put -ContentType "application/octet-stream"  -InFile $UPLOAD_FILE_NAME

$id = @"
        {
    "data": {
        "attributes": {
            "is-destroy": false
        },
        "type": "runs",
        "relationships": {
            "workspace": {
                "data": {
                    "type": "workspaces",
                    "id": "$WORKSPACE_ID"
                }
            }
        }
    }
}
"@

#Parse Run ID 
$RUN_ID = (Invoke-RestMethod  -Uri "https://$Server/api/v2/runs" -Method Get -ContentType "application/vnd.api+json" -Headers $headers -Body $id).data.id | Select-Object -First 1
$continue = 1
while ($continue -ne 0) {
    foreach ($RUN in $RUN_ID) {
        $RESULT = Invoke-RestMethod  -Uri "https://$Server/api/v2/runs/$RUN" -Method Get -ContentType "application/vnd.api+json" -Headers $headers -Body $id
        $STATUS = $RESULT.data.attributes.status
        $CONFIRMABLE = $RESULT.data.attributes.actions."is-confirmable"
        #Verifies plan has succesfully finished
        if ($STATUS -eq "planned" -and $CONFIRMABLE -eq "False") {
            $PLAN = Invoke-RestMethod  -Uri ("https://$Server/api/v2/runs/$RUN" + "?include=plan") -Method Get -ContentType "application/vnd.api+json" -Headers $headers
            $PLAN_LOG = $PLAN.included.attributes."log-read-url"
            #print out Plan Log for verification
            Invoke-RestMethod  -Uri $PLAN_LOG
            $continue = 0
            #start Apply Process after succesful Plan
            $APPLY = Invoke-RestMethod  -Uri "https://$Server/api/v2/runs/$RUN/actions/apply" -Method Post -ContentType "application/vnd.api+json" -Headers $headers -Body $apply_on

            $RESULT = Invoke-RestMethod  -Uri ("https://$Server/api/v2/runs/$RUN" + "?include=apply") -Method Get -ContentType "application/vnd.api+json" -Headers $headers

            # Get apply ID
            $APPLY_ID = $RESULT.included.id

            $continue = 1
            while ($continue -ne 0) {
                $RESULT = Invoke-RestMethod  -Uri "https://$Server/api/v2/applies/$APPLY_ID" -Method Get -ContentType "application/vnd.api+json" -Headers $headers
                $STATUS = $RESULT.data.attributes.status
                Write-Output $STATUS
                if ($STATUS -eq "finished") {
                    Write-Host "Apply finished"
                    $APPLY_LOG = $RESULT.data.attributes.'log-read-url'
                    $STATE_ID = $RESULT.data.relationships.'state-versions'.data.id
                    $STATE_LOG = Invoke-RestMethod  -Uri ("https://$Server/api/v2/state-versions/$STATE_ID" + "?include=outputs") -Method Get -ContentType "application/vnd.api+json" -Headers $headers
                    $OUTPUTS = ($STATE_LOG.included).Count
                    #Get all Outputs on screen 
                    for ($OUTPUT = 0; $OUTPUT -lt $OUTPUTS; $OUTPUT++) {
                        $STATE_LOG.included[$OUTPUT].attributes
                    }
                    $continue = 0
                }
                elseif ($STATUS -eq "errored") {
                    Write-Host "Terraform Apply errored"
                    $APPLY_LOG = $RESULT.data.attributes.'log-read-url'
                    Invoke-RestMethod  -Uri $APPLY_LOG
                    $continue = 0
                }
                elseif ($STATUS -eq "canceled") {
                    Write-Host "Terraform Apply canceled"
                    $APPLY_LOG = $RESULT.data.attributes.'log-read-url'
                    Invoke-RestMethod  -Uri $APPLY_LOG
                    $continue = 0
                }
                else {
                    Write-Host "Terraform Apply in progress"
                }
            }
        }
        if ($STATUS -eq "planned_and_finished") {
            $PLAN = Invoke-RestMethod  -Uri ("https://$Server/api/v2/runs/$RUN" + "?include=plan") -Method Get -ContentType "application/vnd.api+json" -Headers $headers
            $PLAN_LOG = $PLAN.included.attributes."log-read-url"
            Invoke-RestMethod  -Uri $PLAN_LOG
            $continue = 0
            break
        }
        else { Write-Host "Terraform Plan in Progress" }
    }
}

Infrastructure as Code deployment in Action

The below is a quick demo of the Azure DevOps and Terraform Cloud interaction triggered via API calls to successfully deploy the Infrastructure.

Application Code build

The below describes the minimal steps required to build and generate an artefact to be deployed in the Azure Web App staging slot.

stage: build
  displayName: App Build and Staging Deployment
  jobs:
  - job: Build
    steps:
      - task: NodeTool@0
        displayName: 'Node.js version'
        inputs:
          versionSpec: 12.x

      - task: Npm@0
        displayName: 'npm install'
        inputs:
          arguments: '--force'

      - task: Npm@1
        displayName: 'npm build'
        inputs:
          command: custom
          verbose: false
          customCommand: 'run build'

      - task: ArchiveFiles@1
        displayName: 'Archive files '
        inputs:
          rootFolder: public

      - task: CopyFiles@2
        displayName: 'Copy Files'
        inputs:
          SourceFolder: '$(Build.ArtifactStagingDirectory)'
          Contents: '$(Build.BuildId).zip'
          TargetFolder: '$(Build.ArtifactStagingDirectory)\ArtifactsToBePublished'

      - task: PublishBuildArtifacts@1
        displayName: 'Publish Artifact: drop'
        inputs:
          PathtoPublish: '$(Build.ArtifactStagingDirectory)\ArtifactsToBePublished'
          artifact: Webapp

Staging slot deployment

The below describes the task required to deploy the artefact generated from the step before to be deployed in the Azure Web App staging slot.

      - task: AzureRmWebAppDeployment@4
        displayName: 'Staging deployment'
        inputs:
          azureSubscription: $(sub)
          appType: webAppLinux
          WebAppName: $(WebAppName)
          deployToSlotOrASE: true
          ResourceGroupName: '$(RG)'
          SlotName: staging
          package: $(Build.ArtifactStagingDirectory)\ArtifactsToBePublished\*.zip 

Web App Deployment to Production

In this stage, I have two different tasks to ensure there is a manual approval before the code in the staging slot is swapped against the production one. I could potentially just deployed the code directly to the Prod slot. However, I find the swapping feature a nice way to ensure zero-downtime deployments and a way to validate and/or test new features before pushing it into Production.

- stage: production
  displayName: App Deployment Production
  jobs:
  - job: waitForValidation
    displayName: Approval   
    pool: server    
    timeoutInMinutes: 4320 # job times out in 3 days
    steps:   
    - task: ManualValidation@0
      timeoutInMinutes: 1440 # task times out in 1 day
      inputs:
        notifyUsers: |
          email@gmail.com
        instructions: 'Please validate the build configuration and resume'
        onTimeout: 'resume' 
  - job: Production_Release
    steps:
      - task: AzureAppServiceManage@0
        displayName: 'Production deployment'
        inputs:
          azureSubscription: $(sub)
          WebAppName: $(WebAppName)
          ResourceGroupName: '$(RG)'
          SourceSlot: staging

Summary

My focus on this post was to demo and show a way using PowerShell to interact with Terraform Cloud and/or Terraform Enterprise using the API-driven Run Workflow in an Azure DevOps pipeline. However, this will work with any CI/CD tool you may be working with.

I did have some fun and removed some rust from my Azure DevOps days. If you find yourselves already invested in TFC/TFE this is definitely a way that will allow you to have more flexibility while taking advantage of the features offered by enterprise products.

I do hope this helps someone and that you find it informative,, so please let me know as constructive feedback is always important🕵️‍♂️,, That’s it for now,,, Hasta la vista🐱‍🏍!!!

🚴‍♂️ If you enjoyed this blog, you can empower me with some caffeine to continue working in new content 🚴‍♂️.

Project Bicep is taking ARM to the next level and it is making lots of good noise in the IaC world. I have been using terraform for a while so I decided to check it out and see how it compares to HCL language to deploy IaC in Azure Platform and also to see how easy it is to author these kind of templates. :astonished: Given that now Bicep support the creation of modules it makes it even more appealing, still early stages but looking forward to feature parity to terraform

Environment preparation for Bicep

What do I need to get started?

1. I am using WSL2 on Win10 for my environment so I have updated my Azure CLI version to the latest, as it is required to be on v2.20 or later. Then I installed Bicep compiler running the command az bicep install.
2. I installed the Bicep extension which definitely makes life so much easier as the intellisense is great and it makes authoring quite enjoyable
3. I did rely on the Azure ARM Template documentation in order to check the values to use in the Bicep template regarding resource types similar to the Azure RM provider documentation in terraform. I had a few challenges here as Terraform API calls may use different variable names to interact with the Azure API’s.

AKS the terraform way

My terraform deployment uses modules stored in my Private Terraform Cloud Module repository. In that case, the structure of the deployment files looks as per below. The module structure in terraform is per below the right hand side. For instance, my deployment AKS Deployment will call all the approved modules to be consumed and deploy the whole solution.

AKS Deployment
        |_main.tf
        |    |_ AKS Module
        |    |   |_ main.tf
        |    |   |_ variables.tf
        |    |   |_ outputs.tf
        |    |
        |    |_ VNet Module
        |    |   |_ main.tf
        |    |   |_ variables.tf
        |    |   |_ outputs.tf
        |    |
        |    |_ Subnet Module
        |    |   |_ main.tf
        |    |   |_ variables.tf
        |    |   |_ outputs.tf
        |    |
        |    |_ Route Table Module
        |        |_ main.tf
        |        |_ variables.tf
        |        |_ outputs.tf
        |
        |_variables.tf
        |_outputs.tf
        |_providers.tf

The main.tf file of the AKS module looks like below with all the values to be provided by populating the variables. 👇

resource "azurerm_kubernetes_cluster" "test" {

  name                      = var.name
  resource_group_name       = var.resource_group.name
  location                  = var.resource_group.location
  dns_prefix                = var.dns_prefix
  kubernetes_version        = var.kubernetes_version
  private_cluster_enabled   = true

  default_node_pool {
    name                 = "default"
    orchestrator_version = var.kubernetes_version
    node_count           = var.node_count
    vm_size              = var.node_size
    os_disk_size_gb      = var.os_disk_size_gb
    vnet_subnet_id       = var.node_vnet_subnet_id
    max_pods             = var.max_pods
    enable_auto_scaling  = true
    min_count            = var.auto_scaling_min_count
    max_count            = var.auto_scaling_max_count
    availability_zones   = var.availability_zones
  }

  addon_profile {

    azure_policy {
      enabled = false
    }
  }

  role_based_access_control {
    enabled = true

    azure_active_directory {
      managed = true

      admin_group_object_ids = var.aad_group_id
    }
  }

identity {
    type = "SystemAssigned"
  }

  network_profile {
    network_plugin     = "azure"
    network_policy     = var.network_policy
    load_balancer_sku  = "standard"
    outbound_type      = "userDefinedRouting"
    service_cidr       = "192.168.254.0/24"
    dns_service_ip     = "192.168.254.10"
    docker_bridge_cidr = "172.22.0.1/16"
  }
}

The deployment uses the provider.tf for the authentication to the Azure Platform for the deployment of the resources as such with a block similar to the one below when using terraform open source or you will have a service principal already assigned in TFC/TFE on the workspace for the deployment. Please refer to Terraform Configuration

AKS the Bicep way 🦾

Azure Bicep did not disappoint and by using, the VSCode extension intellisense I was able to write the module in a few minutes in a similar fashion to my Terraform Module, still not as robust as terraform but I guess it is early stages for Bicep. The file structure is quite similar except here at this stage I cannot have my variables/parameters and outputs on separate files. In addition, I do not need the provider file, as this is ARM after all so the context used (user/SPN/identity) will be used for the deployment.

AKS Deployment
        |_main.bicep
            |_ AKS Module
            |   |_ aks.bicep
            |
            |_ Network Module
            |   |_ vnet.bicep
            |
            |_ Route Table Module
                |_ routetable.bicep

The aks.bicep file of the AKS module looks like below with all the values to be provided by populating the variables. 👇

param location string = resourceGroup().location
param AKSName string
param subnet_id string 
param group_id string
param dns_prefix string
param kubernetes_version string
param node_count int
param auto_scaling_min_count int
param auto_scaling_max_count int
param max_pods int
param os_disk_size_gb int
param node_size string

resource aks 'Microsoft.ContainerService/managedClusters@2021-02-01' = {
  name: AKSName
  location: location
  properties: {
    kubernetesVersion: kubernetes_version 
    enableRBAC: true
    dnsPrefix: dns_prefix
    aadProfile: {
      managed: true
      adminGroupObjectIDs: [
        group_id
      ]
    }
    networkProfile: {
      networkPlugin: 'azure'
      networkPolicy: 'azure'
      serviceCidr: '192.168.254.0/24'
      dnsServiceIP: '192.168.254.10'
      dockerBridgeCidr: '172.22.0.1/16'
      outboundType: 'userDefinedRouting'
    }
    apiServerAccessProfile: {
      enablePrivateCluster: true
    }
    addonProfiles: {
      azurepolicy: {
        enabled: false
      }
      httpApplicationRouting: {
        enabled: false
      }
    }
    agentPoolProfiles: [
      {
        name: 'agentpool'
        mode:'System'
        osDiskSizeGB: os_disk_size_gb
        count: node_count
        vmSize: node_size
        osType: 'Linux'
        type: 'VirtualMachineScaleSets'
        maxPods: max_pods
        vnetSubnetID: subnet_id
        enableAutoScaling: true
        minCount: auto_scaling_min_count
        maxCount: auto_scaling_max_count
        orchestratorVersion: kubernetes_version
        availabilityZones: [
          '1'
          '2'
          '3'
        ]
      }
    ]
  }
  identity: {
    type: 'SystemAssigned'
  }
}

output object object = aks
output aks_id string = aks.properties.privateFQDN
output aks_identity object = aks.properties.identityProfile

Definitely much nicer and easier to digest than an ARM in JSON format and quite similar to the terraform language layout at the end of the day same API calls 💪.

Module Structure using Bicep

Modules are called using the following syntax quite similar to terraform module blocks and supports depends on which was something introduced in terraform world from v13. However, versioning is not supported at this time as well as <module_path> it’s only local not providing enough flexibility and governance around module creation for reusability.

module <name> '<module_path>' {
  name: <required name of the nested deployment>
  scope: <rg/subscription>
  // Input Parameters
  <parameter-name>: <parameter-value>
  dependsOn:[
    <module/resource>
  ]
}

Solution Deployment Bicep Way

In order to deploy the whole solution. I setup a main.bicep which makes the calls to the modules for the deployment based on variables and parameters required for each of them. The file will look like below. Given I am deploying the Resource Group to logically group my resources my deployment requires to be scoped to my subscription

targetScope = 'subscription'

param location string = 'australia east'

var RgName          = 'aks-rg-test'
var AKSName         = 'aks-development'
var AKSvNetName     = 'aks-vnet'
var AKSsubnetName   = 'aks-subnet'
var AKSsubnetPrefix = '10.0.3.0/25'

//Resource group
resource rg 'Microsoft.Resources/resourceGroups@2020-06-01' = {
  name: RgName
  location: location
}

module vnet './vnet.bicep' = {
  name: AKSvNetName
  scope: resourceGroup(rg.name)
  params: {
    location: location
    vNetName: AKSvNetName
    address_space: '10.0.3.0/24'
    SubnetName: AKSsubnetName
    subnetPrefix: AKSsubnetPrefix
  }
  dependsOn: [
    rg
  ]
}

module aks './aks.bicep' = {
  name: AKSName
  scope: resourceGroup(rg.name)
  params: {
    location: location
    subnet_id: vnet.outputs.subnetid
    group_id: 'bad1b814-cb6e-4027-afd2-ee0d27aef0e1'
    AKSName: 'aks-dev'
    dns_prefix: 'dev'
    kubernetes_version: '1.18.14'
    node_count: 1
    auto_scaling_min_count: 1
    auto_scaling_max_count: 3
    max_pods: 50
    os_disk_size_gb: 64
    node_size: 'Standard_D2_v3'
  }
  dependsOn: [
    vnet
  ]
}

output vnetid string    = vnet.outputs.vnet_id
output aksid string     = aks.outputs.aks_id
output aks_iden object  = aks.outputs.aks_identity

For the deployment I used Azure CLI and the deployment was just by running the below command. Where c short name for --confirm-with-what-if gives me a sense of a dry run similar to our terraform plan. We can get a JSON representation of a terraform plan like but I guess it will be a bit harder to inspect.

az deployment sub create -c --name aksbicep --template-file main.bicep --location 'australiaeast'

You can also have JSON representation for the changes by using the command below and you can potentially pipe the results so you can programmatically inspect those changes

az deployment sub what-if --no-pretty-print --name aksbicep --template-file deployment.bicep --location 'australiaeast'

Important I run this exercise using my account context with currently has a contributor role assignment. In enterprise scenarios, you will have a more comprehensive RBAC controls and potentially using CI/CD tools that will run under Service Principals or Manage Identities.

Summary

I really found Bicep so much better to deal with than ARM templates so if you are on an environment using ARM templates for all your deployments, Bicep will be a really good option to explore and the best of all is that you can get the latest released features so you will not have to wait for a release to start enjoying those new features. Still Bicep needs to mature a bit more to offer more flexibility but you can start getting the benefits already. Modules is something I hope it gets enhanced as this will definitely increase code reusability and will increase authoring time as you will remove copy/paste for different solution deployments

On the other hand If you are already using terraform you will be already enjoying a more mature product that is cloud agnostic in regards to its language. I will assume Bicep team will be making good efforts and make those awesome capabilities from Terraform available in Bicep. Project Bicep still will be native to Azure so it will not be a language you can use on other clouds.

If you are keen I found some motivation on the below great videos.👇

I hope it was informative, hasta la vista and keep working out those 🦾!!!

Code Download

The code I created for this demo is available in my blog repository Github.

🚴‍♂️ If you enjoyed this blog, you can empower me with some caffeine to continue working in new content 🚴‍♂️.

I have been deploying my infrastructure using Terraform Open Source. However, given you can use Terraform Cloud for free you get some features like create and provision infrastructure as well as collaboration which you can do it up to 5 people… which is perfect for what I wanted to achieve. In addition, you get a Terraform Module Registry where you can store and consume modules.

Account Creation

What do I need to get started

1. Create an Account in terraform.io
2. Create a Terraform Cloud Organization
3. Have your Version Control System provider for your code integration(I will start with this one but in the long run I think I will be using API-driven workflow due to flexibility to trigger from a more comprehensive pipeline deployment where I can have my infra and my application code)

So I decided to open an account and leverage my Version Control System (VCS) account which resides in Github to start exploring a bit deeper. By the time I started the article I already had the integration done but you can follow the terraform documentation as you may be using a different VCS provider.

So it kind of looks like this 👇… your own Terraform Cloud (SaaS version)

Structure

I decided to build a Hub & Spoke scenario where I have three workspaces

• HUB workspace where I have all my platform layer and NVA appliance = cerocool-azure-tenant 👉 Deploys all subscription platform components

• Sydney Spoke = cerocool-application-syd 👉 Deploys infra and application(s) into the Virtual Network (vNet)

• Melbourne Spoke or Application (just to explorer more) = cerocool-application-mel 👉 Deploys infra and application(s) into the Virtual Network (vNet)

Given that Sydney is the region that usually gets all the love I will deploy most of my infra there as new preview features are released here

Terraform Configuration

To start consuming those workspaces I did create cerocool-azure-tenant workspace manually… I guess you always have to start somewhere🤨.. and I have added all the necessary Environment variables from my Azure Service Principal so it can interact with my Azure subscription.

• My Service Principal will be carrying tasks for deploying the infrastructure but also to do role assignments so given those requirements I assigned Owner role.

This changes the way I interact from my configuration as well as my backend

Terraform Backend

By default, I was using local backend then I moved to State Storage using an Azure Storage Account which provides state locking…but now I have my state file in Terraform Cloud which support remote operations as for my last two methods all operations were run locally, this is not as key on my environment but on an enterprise environment where multiple people are collaborating this can be key for user experience as you will have a few variables like not relaying on your workstation or scary one sharing credentials to interact with Azure❌

so what’s a Backend,,, it is a term to define how the state is loaded and how the usual operations are executed like apply, destroy, etc.

Interacting with Terraform Cloud

After we have some of the requirements met to start deploying your infrastructure. You need to somehow communicate with Terraform Cloud. Given my environment I was able to run terraform login which is a command released not long ago that allows you obtain automatically an API token. Depending on your environment, you may not be able to use this command so you will generate and save your token on different way. This token gets stored on your local machine and looks like the one below 🤯

{
  "credentials": {
    "app.terraform.io": {
      "token": "YOUR OWN TOKEN"
    }
  }
}

This token is stored on a file called credentials.tfrc.json which on my Windows laptop is stored on C:\Users\me\AppData\Roaming\terraform.d\credentials.tfrc.json

Just in case If you have your own hostname then you need to replace it like terraform login contoso as by default it is app.terraform.io

After doing all of this we are ready to start planning and applying our Azure infrastructure in this case. Given this is my sandpit environment I did not migrate my state file to Terraform Cloud instead I did start from scratch.

Summary

This was just an overview of my journey from Terraform Open Source to Terraform Cloud. I will continue on digging and exploring a bit more into some of the benefits you get by using Terraform Cloud for small teams. I have signed for a free trial to explore some of the cool features like cost estimation, sentinel Policies and of course RBAC. I hope this has been informative and helpful⚔

🚴‍♂️ If you enjoyed this blog, you can empower me with some caffeine to continue working in new content 🚴‍♂️.

🚀 Terraform 0.13: The for_each Feature

Terraform 0.13 is the latest trend in the Terraform IaC world, and one of its most anticipated features is the new for_each capability.

I have all my Azure infrastructure currently deployed using Terraform 12. Now that version 13 is available (which, judging by the number, might seem unlucky—but 2020 has already set the bar for “unlucky”!), it’s time to explore the new features. 😄

Why Is for_each Great for Modules?

The for_each feature allows you to define multiple instances in a single block by using a map, leveraging modules to reduce the amount of code significantly.

I decided to start modifying my infrastructure to take advantage of these new features, beginning with for_each. You can refer to the Terraform 13 Changelog for more information about these changes.

Previously, I had a resource group module that I called n times—once for each resource group I needed (in my case, nine). It looked like this:

module "rg-dmz" {
  source             = "../modules/resource_group"
  name_suffix        = "dmz"
  location           = var.location
  full_env_code      = local.full_env_code
  create             = true
  enable_delete_lock = false
}

module "rg-app" {
  source             = "../modules/resource_group"
  name_suffix        = "app"
  location           = var.location
  full_env_code      = local.full_env_code
  create             = true
  enable_delete_lock = false
}
# ... repeated n times for each RG

Modifications Required

To make my code more efficient and dynamic, I updated my deployment to leverage for_each. This allows me to define multiple instances in one block using a map, reducing code duplication. More information about using for_each.

module "rgs" {
  for_each = {
    rg-dmz        = "dmz"
    rg-app        = "app"
    rg-services   = "services"
    rg-management = "management"
    rg-data       = "data"
    rg-network    = "network"
    rg-packer     = "packer"
  }

  source             = "../modules/resource_group"
  name_suffix        = each.value
  location           = var.location
  full_env_code      = local.full_env_code
  create             = true
  enable_delete_lock = false
}

State Resource Reorganization

After making these changes and running a plan, I encountered a new challenge: the new resources did not match the information in my state file. 🏃‍♂️ Some inspection was required, and I started doing the needful (thanks, BT, for that phrase). However, I had issues moving the state and received the following error:

terraform state mv module.rg-packer.azurerm_resource_group.rg  module.rgs["rg-packer"].azurerm_resource_group.rg                                     

Error: Index value required

  on  line 1:
  (source code not available)

Index brackets must contain either a literal number or a literal string.

Releasing state lock. This may take a few moments...

After some investigation (a.k.a. Googling), I found in the Terraform documentation how to terraform state mv using for_each. Depending on your terminal, you may need different syntax for the state movement. In my case, I was using PowerShell:

terraform state mv 'module.rg-packer.azurerm_resource_group.rg[0]' 'module.rgs_mel[\"rg-packer\"].azurerm_resource_group.rg[0]'

And voilà! 💃 State movement successful. I repeated this for the rest of my resources.

Calling the Module Outputs

After completing my state migration and running a plan to ensure everything was correct, I needed to update all statements where I consumed module outputs. For example:

resource "azurerm_app_service_plan" "various" {
  name                = "azure-functions-cero-service-plan"
  location            = var.location
  resource_group_name = module.rgs["rg-management"].name # using the for_each module output
  kind                = "FunctionApp"
  reserved            = true

  sku {
    tier = "Dynamic"
    size = "Y1"
  }
}

The “No Changes Expected” Outcome 👼

After all these changes, the expected outcome was to have no planned changes, as we were only redesigning the code. My Terraform Cloud workspace applied the changes successfully, and the result was 🧙‍♂️

Summary

Terraform v13 offers excellent new features that many long-time users have been waiting for. Migrating existing infrastructure to v13 is not always straightforward, but it ultimately makes code management easier. I will continue updating my code to leverage all v13 features and share my progress. I hope this helps someone—Hasta la vista!

🚴‍♂️ If you enjoyed this blog, you can empower me with some caffeine to continue working on new content. 🚴‍♂️