Driving Azure and AWS deployments using Infrastructure as Code
Driving Azure and AWS deployments using Infrastructure as Code
1
Step-by-Step Workflow
1. Define Reusable IaC Modules with Terraform
Example: AWS Networking Module
# modules/aws-network/main.tf
resource "aws_vpc" "main" {
cidr_block = var.cidr_block
}
output "vpc_id" {
value = aws_vpc.main.id
}
Environment-Specific Configuration Using Terragrunt
# envs/dev/terragrunt.hcl
terraform {
source = "../../modules/aws-network"
}
inputs = {
cidr_block = "10.0.0.0/16"
public_subnet_cidr = "10.0.1.0/24"
}
2
on:
pull_request:
branches:
- main
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
3
path: kubernetes/
destination:
server: https://kubernetes.default.svc
namespace: my-app
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
4
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: $
{{ secrets.AWS_SECRET_ACCESS_KEY }}
run: |
terraform init
terraform apply -auto-approve
Containerization (AKS, EKS, OpenShift) and Serverless technologies
in AWS and Azure can transform insurance systems by improving
scalability, reliability, and cost-efficiency.
apiVersion: apps/v1
kind: Deployment
metadata:
name: policy-management
spec:
replicas: 3
selector:
matchLabels:
app: policy-management
template:
metadata:
labels:
app: policy-management
spec:
containers:
- name: policy-management
image: myregistry.azurecr.io/policy-management:v1
ports:
- containerPort: 8080
3. Load Balancer for User Portal
apiVersion: v1
kind: Service
metadata:
name: user-portal-service
spec:
type: LoadBalancer
selector:
app: user-portal
ports:
- protocol: TCP
port: 80
targetPort: 8080
6
o Customer Portal
o ML Model API for Underwriting
Integrated Tools:
o AWS CodePipeline for CI/CD
o CloudWatch for logging and metrics
Implementation
1. Cluster Setup Using eksctl
eksctl create cluster \
--name insurance-cluster \
--region us-west-2 \
--nodes 3 \
--node-type t3.medium
2. CI/CD Pipeline with CodePipeline
o Use Terraform to provision infrastructure and define EKS
resources.
3. Observability
o Enable CloudWatch Container Insights for monitoring.
7
claim_id = event["claim_id"]
# Process claim logic
return {
"statusCode": 200,
"body": json.dumps({"message": "Claim processed", "claim_id":
claim_id})
}
2. API Gateway Integration
o Create a REST API with AWS API Gateway to invoke Lambda.
3. DynamoDB Claims Table
aws dynamodb create-table \
--table-name Claims \
--attribute-definitions \
AttributeName=ClaimID,AttributeType=S \
--key-schema AttributeName=ClaimID,KeyType=HASH \
--provisioned-throughput
ReadCapacityUnits=5,WriteCapacityUnits=5
8
Key Concepts of State Management
1. State File (terraform.tfstate):
o A JSON file that records the current state of your infrastructure.
o Contains metadata about resources (e.g., IDs, configurations).
o Allows Terraform to:
Identify which resources it manages.
Determine deltas between your configuration and the
actual infrastructure.
2. State Locking:
o Prevents multiple users or processes from modifying the state
at the same time.
o Achieved using remote backends like AWS S3 with DynamoDB
for locking or Azure Blob with state locking features.
3. State Drift:
o Happens when resources are changed outside of Terraform
(e.g., directly in the cloud console).
o Terraform can detect and reconcile this during a terraform plan
or terraform apply.
Why is State Management Important?
Efficient Resource Tracking: Tracks which resources belong to
which configurations.
Change Management: Identifies what needs to be created, updated,
or destroyed.
Collaboration: Enables team members to share and update state
using remote backends.
Avoid Duplicate Resources: Ensures Terraform doesn't create
duplicate resources due to loss of knowledge about existing ones.
How Terraform Manages State
1. Local State:
o By default, Terraform stores the state file locally in the project
directory as terraform.tfstate.
o Suitable for small projects or individual use.
2. Remote State:
o Stores the state file in a centralized location (e.g., AWS S3,
Azure Blob, Terraform Cloud).
o Benefits:
Enables collaboration by sharing state.
Adds security with encryption and access control.
Supports state locking to avoid concurrent modifications.
9
Remote State Configuration Example
AWS S3 Backend with DynamoDB Locking:
terraform {
backend "s3" {
bucket = "my-terraform-state-bucket"
key = "prod/terraform.tfstate"
region = "us-west-2"
dynamodb_table = "terraform-state-lock"
encrypt = true
}
}
Azure Blob Storage Backend:
terraform {
backend "azurerm" {
storage_account_name = "mystorageaccount"
container_name = "terraform-state"
key = "prod.terraform.tfstate"
}
}
10
State File Best Practices
1. Use Remote Backends:
o Always store state remotely for team collaboration and safety.
2. Secure State Files:
o Use encryption at rest for sensitive information (e.g., access
keys, secrets).
3. Enable Locking:
o Avoid concurrent modifications by enabling state locking
mechanisms.
4. Version Control for State Configurations:
o Exclude actual state files (terraform.tfstate) from version control
using .gitignore.
Example:
terraform.tfstate
terraform.tfstate.backup
11
Example: AWS S3 Backend with Encryption and Locking:
terraform {
backend "s3" {
bucket = "secure-terraform-state"
key = "prod/terraform.tfstate"
region = "us-west-2"
dynamodb_table = "terraform-locks"
encrypt = true
}
}
2. Encrypt State Files:
o Ensure remote backends use encryption at rest and in transit.
o Avoid storing sensitive data in plain text within state files.
3. Restrict Access to State Files:
o Use IAM roles/policies to limit who can read/write the state files.
12
validation {
condition = var.environment == "production" || var.environment ==
"staging"
error_message = "Environment must be production or staging."
}
}
assume_role {
role_arn = "arn:aws:iam::123456789012:role/TerraformExecutionRole"
}
}
13
3. Enable Branch Protections:
o Use pull requests with code reviews to enforce best practices
and detect security misconfigurations.
14
2. Scan IaC Code:
o Integrate tools like Snyk IaC or Checkov into your pipelines.
15