Terraform on Azure with IaC DevOps

SRE |
Real-World 25 Demos
Kalyan Reddy Daida

StackSimplify
 DevOps on
AWS EKS STACKSIMPLI AWS &
Jenkins Azure AKS
Kubernetes FY Azure Ansible Part-2
HashiCorp Azure Certs
Azure AKS DevOps & Certified AZ-900, 104,
Kubernetes SRE Vault & Consul 204, 400
Kubernetes Google Cloud
AWS ECS Roadmap Certifications
Associate &
Docker on AWS CKAD, CKA, CKS
Professional
Certs
AWS AWS Google GKE
Python
CloudFormation Lambda Kubernetes
HashiCorp Certified Terraform Associate on AWS with 50 Practical Demos
Terraform on AWS with SRE and IaC DevOps with 20 Real-World Demos
HashiCorp Certified Terraform Associate on Azure with 60+ Practical
Demos
Terraform on Azure with IaC DevOps SRE with 20+ Real-World Demos
Terraform on AWS EKS Elastic Kubernetes Service with 15+ Real-World Demos
© Kalyan Reddy Daida StackSimplify
Terraform on Azure with IaC
DevOps SRE | Real-World 25
Demos
Kalyan Reddy Daida

StackSimplify
 Terraform Fundamentals (Commands, Language, Settings, Providers, Resources)
Azure Virtual Network, Subnets and Terraform Azure Traffic Manager
Network Security Groups On
Azure Virtual Machines, Network Interface Azure Cloud Azure Application Gateway Basics
and Public IP
Azure Application Gateway Context Path
Azure Bastion Host and Bastion Service Real-World based Routing and Multisite Hosting
Azure Standard Load Balancer with Approach Azure Application Gateway SSL, HTTP to
Inbound NAT Rules HTTPS Redirect, SSL with Key Vault
Azure Virtual Machine Scale Sets with Step by Step Terraform Local Modules – Leverage Public
Manual Scaling Documentation Registry
Azure VMSS with Autoscaling Default, On GitHub Terraform Local Modules – Build from
Recurrence and Fixed Profiles scratch and Publish to Public TF Registry
Azure Standard Load Balancer (External Terraform Remote State Storage & Remote
Incremental
and Internal) State Datasource
way to Build
Complex Infra Azure MySQL Single Server with Azure
Azure Private and Public DNS Zones
Application Gateway
IaC DevOps with Azure DevOps for Terraform Project with Build and Release Pipelines

@Kalyan Reddy Daida StackSimplify

 GitHub Step-by-Step Documentation

TF Configs
well kept
on GitHub

@Kalyan Reddy Daida StackSimplify

 20 Azure Services

Resource Group Traffic Manager NAT Gateway Virtual Network Subnet Network Security
Group

Network Interface Virtual Machine Azure Disk VM Scale Set Public IP DNS Zone

MySQL Server Load Balancer LB Inbound NAT Application Storage Azure DevOps
Gateway Account Pipelines

@Kalyan Reddy Daida StackSimplify

 30+
Terraform
Concepts

@Kalyan Reddy Daida StackSimplify

 Azure Cloud

30+ 20+
Terraform & Azure
Concepts Resources

GitHub Step-by-Step Documentation

© Kalyan Reddy Daida StackSimplify
 Terraform
Configs
Azure Virtual Network with Subnets and
Network Security Groups

Azure Virtual Machine Scale Set with Auto

Scaling Profile - Web Tier

Azure Bastion Host Linux VM – Enabled

Azure Bastion Service - Disabled

© Kalyan Reddy Daida StackSimplify

 Terraform Azure Standard Load Balancer – External
Configs (Web Tier Load Balancer)

Azure Storage Account – Deploy httpd conf

Azure NAT Gateway – Outbound

communication for App VMSS
Azure Virtual Machine Scale Set with Auto
Scaling Profile - App Tier
Azure Standard Load Balancer – Internal
(App Tier Load Balancer)

Azure Private DNS Zone for App Tier Load

Balancer internal DNS Name in VNET

Azure Public DNS Zone – Access Applications

via Internet using Registered Domain

© Kalyan Reddy Daida StackSimplify

 GitHub Repositories

Repository Used For Repository URL

Course Main Repository with step-by-step https://github.com/stacksimplify/terraform-on-azure-cloud
documentation
Azure IaC DevOps with Build and Release https://github.com/stacksimplify/terraform-on-azure-with-azure-devops
Pipelines

© Kalyan Reddy Daida StackSimplify

 Terraform Workflow
1 2 3 4 5

init validate plan apply destroy

terraform init terraform validate terraform plan terraform apply terraform destroy

© Kalyan Reddy Daida StackSimplify

 Terraform
Top-Level
Blocks

Terraform Block Input Variables Block Data Sources Block

Providers Block Output Values Block Modules Block

Resources Block Local Values Block

Fundamental Blocks Variable Blocks Calling / Referencing Blocks

© Kalyan Reddy Daida StackSimplify

 Terraform Fundamentals

We are going to
learn Terraform
Fundamentals for 3
hours

Continue with Real-World 25+ Demos

© Kalyan Reddy Daida StackSimplify
 Azure Virtual Network – 4
Tier Design
Resource Group

Virtual Network

Web Tier Web App Tier App DB Tier DB

Subnet NSG Subnet NSG Subnet NSG

Bastion Bastion
Host Subnet NSG

© Kalyan Reddy Daida StackSimplify

 Azure Linux Virtual
Machine
Resource Group

Virtual Network

Web Tier Web

Subnet NSG
Web VM-1
Port 80, 22
App Tier App
User Web Linux VM NIC VM Disk Subnet NSG
Public IP

DB Tier DB
Subnet NSG
Terraform file() Function VM NSG (Optional)

Terraform filebase64() function Bastion Bastion

Host Subnet NSG

Terraform base64encode() function

© Kalyan Reddy Daida StackSimplify

 Project architecture
Azure Portal diagram
Azure DevOps
Resource Group

AZ AD Webapp
Connect
App Service app
Azure DevOps
Access key project Build job
off code
Developer

Storage account
IP address
Establish
pipeline Deploy
Webapp
Database

© Kalyan Reddy Daida StackSimplify

 Azure Bastion Host Linux VM &
Bastion Service
Resource
Group Virtual Network

Bastion Host Bastion

Subnet NSG
SSH Client – Putty / Terminal Bastion VM-1 Web Tier Web
Port 22
Subnet NSG

Disk Web VM-1

Bastion Host NIC VM
Linux VM Public IP

NIC VM Disk
Admin
User
App Tier App
Bastion Service Subnet NSG
Subnet
SSL Port 443
DB Tier DB
Subnet NSG
Bastion Service
Browser Azure Bastion Service
Public IP

© Kalyan Reddy Daida StackSimplify

 Azure Standard Load Balancer –
Internet Facing
Resource
Group Virtual Network

Bastion Host Bastion

Subnet NSG
Port 22
Bastion VM-1
SSH Client – Putty / Terminal
Bastion Host
Linux VM Public IP
NIC VM Disk

Port 22

Web Tier Web

Subnet NSG App Tier App
Subnet NSG
Web VM-1
Port 80
DB Tier DB
NIC VM Disk Subnet NSG
LB Azure Standard
Users
Public IP Load Balancer

© Kalyan Reddy Daida StackSimplify

 Azure Standard Load Balancer – Inbound NAT
Rules
SSH Client – Putty / Resource
Terminal Group Virtual Network

Bastion Host Bastion

Port 22 Subnet NSG
Bastion VM-1

Bastion Host NIC VM Disk

Admin Linux VM Public IP
Port 22

SSH Port 1022

Web Tier Web
Inbound NAT Subnet NSG App Tier App
Rules Subnet NSG
Web VM-1
Port 22
Port 80
DB Tier DB
NIC VM Disk Subnet NSG
Users LB Azure Standard
Public IP Load Balancer

© Kalyan Reddy Daida StackSimplify

 Azure Standard Load Balancer – Meta-
Argument Count
Resource
Group Virtual Network

Web Tier Web

Subnet NSG
Port 22 Web VM-1
Meta-Argument
Count
NIC VM Disk

Admin Port 22 Web VM-2

SSH Port 1022,
SSH Port 2022,
SSH port 3022 NIC VM Disk
Inbound NAT App Tier App
Rules Web VM-3 Subnet NSG
Port 22
Port 80
DB Tier DB
NIC VM Disk NSG
LB Subnet
Users Azure Standard
Public IP Load Balancer

© Kalyan Reddy Daida StackSimplify

 Azure Standard Load Balancer – Meta-
Argument for_each
Resource
Group Virtual Network

Web Tier Web

Subnet NSG
Port 22 Web VM-1
Meta-Argument
NIC VM Disk for_each
Admin Port 22 Web VM-2
SSH Port 1022,
SSH Port 2022,
SSH port 3022 NIC VM Disk
Inbound NAT App Tier App
Rules Web VM-3 Subnet NSG
Port 22
Port 80
DB Tier DB
NIC VM Disk NSG
LB Subnet
Users Azure Standard
Public IP Load Balancer

© Kalyan Reddy Daida StackSimplify

 Azure Standard Load Balancer – VMSS
Manual Scaling
Resource
SSH Client – Putty / Group
Terminal
Virtual Network

Bastion Host Bastion

Port 22 Subnet NSG
Bastion VM-1

VMSS
Bastion Host NIC VM Disk
Linux VM Public IP Manual Scaling
Port 22

Web Tier Web

Subnet NSG App Tier App
Subnet NSG
Web VMSS
Port 80
DB Tier DB
LB Azure Standard Web Subnet NSG
Users VMSS NSG
Public IP Load Balancer

© Kalyan Reddy Daida StackSimplify

 Azure VMSS - Autoscaling
Autoscaling Autoscaling Autoscaling
Default Recurrence Fixed Profiles
Profile Profile
Recur on those days with Executes on that specific
Mandatory Profile
start time specified day
Defaults to round the clock Week Day and Weekend
schedule profiles
Will not execute if Fixed profile takes priority 1
Recurrence or Fixed Profile Business Hour and Non- for execution on that day if
exists Business Hour profile exists

P3 P2 P1

Priority Execution Order for Autoscaling Profiles

© Kalyan Reddy Daida StackSimplify

 Autoscaling Default Profile

Scale Out

Scale In

Default
Profile
© Kalyan Reddy Daida StackSimplify
 Autoscaling
Recurrence Profile Week Days

Recurrence
Week Days

© Kalyan Reddy Daida StackSimplify

 Autoscaling
Recurrence Profile
Weekends

Recurrence
Weekends

© Kalyan Reddy Daida StackSimplify

 Autoscaling
Fixed Profile

Fixed Date
Profile

© Kalyan Reddy Daida StackSimplify

 Azure - External LB + Web VMSS + Internet
Internal LB + App VMSS
Resource NAT Gateway
Group Public IP

Virtual Network
NAT Gateway

Web Tier Web App Tier App

Subnet NSG Subnet NSG

Web VMSS App VMSS

Port 80

Users LB Azure Standard Internal

Public IP Load Balancer LB
Web App
VMSS NSG VMSS NSG

DB Tier DB
Subnet NSG
Storage
Account Download app1.conf from Storage Container to Web VMSS Apache

© Kalyan Reddy Daida StackSimplify

 Azure - Private DNS Internet
Zones
Resource Private DNS Zone NAT Gateway
Group terraformguru.com Public IP

Virtual Network
applb.terraformguru.com NAT Gateway

Web Tier Web App Tier App

Subnet NSG Subnet NSG

Web VMSS App VMSS

Port 80

Users LB Azure Standard Internal

Public IP Load Balancer LB
Web App
VMSS NSG VMSS NSG

DB Tier DB
Subnet NSG
Storage
Account Download app1.conf from Storage Container to Web VMSS Apache

© Kalyan Reddy Daida StackSimplify

 Azure - Public DNS Internet
Zones
Resource Private DNS Zone NAT Gateway
Group terraformguru.com Public IP

Resource Virtual Network

Group DNS Records
kubeoncloud.com applb.terraformguru.com NAT Gateway
www.kubeoncloud.com
app1.kubeoncloud.com

Public DNS Zone

kubeoncloud.com Web Tier Web App Tier App
Subnet NSG Subnet NSG

Web VMSS App VMSS

Port 80

Users LB Azure Standard Internal

Public IP Load Balancer LB
http://kubeoncloud.com
http://www.kubeoncloud.com Web App
http://app1.kubeoncloud.com VMSS NSG VMSS NSG

DB Tier DB
Subnet NSG
Storage
Account Download app1.conf from Storage Container to Web VMSS Apache

© Kalyan Reddy Daida StackSimplify

 What is Terraform Backend ?
Backends are responsible for storing state and providing an API for state locking.

Terraform Terraform
State Storage State Locking

Azure Storage Account

© Kalyan Reddy Daida StackSimplify

 Terraform Remote State
Project-1: eastus2
Datasource
Azure VNET + LB
+ VMSS
Project-3: eastus2
project-1-terraform.tfstate

Azure Traffic
terraform_remote_state
Manager
data source
Project-2: westus2
project-3-terraform.tfstate
Azure VNET + LB
The terraform_remote_state data source retrieves
+ VMSS
the root module output values from some other
Terraform configuration, using the latest state
project-2-terraform.tfstate snapshot from the remote backend.

© Kalyan Reddy Daida StackSimplify

 Azure – Traffic Resource
Manager Group Virtual Network

Web Tier Web

Region: eastus2 Subnet NSG

Web VMSS

Web
LB Azure Standard VMSS NSG
Resource Group Public IP Load Balancer

mytfdemo-wquift.trafficmanager.net

Resource
Group Virtual Network
Users Azure Traffic Manager
Web Tier
Region: westus2 Subnet
Web
Region: eastus2 NSG

Web VMSS

Web
LB Azure Standard VMSS NSG
Public IP Load Balancer

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway –
Create Azure Application
Gateway manually using Azure Portal
Resource
Group
AG – Backend Pools
Virtual Network
AG – Frontend IP Configs App
App Tier
Subnet NSG

AG – Listeners
DB Tier DB
Create AG using Subnet NSG
AG – HTTP Settings
Azure Portal

AG – Rules

AG Web Tier Web

AG – Health Probes NSG Subnet NSG
AG Subnet
Web VMSS
0
Port 8
Azure
LB Public IP Application
Gateway LB
Users

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway –
Create Azure Application
Gateway using Terraform using Terraform
Resource
Group
AG – Backend Pools
Virtual Network
AG – Frontend IP Configs App
App Tier
Subnet NSG

AG – Listeners
DB Tier DB
Subnet NSG
AG – HTTP Settings

AG – Rules

AG Web Tier Web

AG – Health Probes NSG Subnet NSG
AG Subnet
Web VMSS
0
Port 8
Azure
LB Public IP Application
Gateway LB
Users

© Kalyan Reddy Daida StackSimplify

 Azure
Application Gateway
Components

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway – Context Path
based Routing
Resource
Group

Virtual Network
Web Tier Web
Subnet NSG

App1 VMSS
http://ag-public-ip/app1/
+
http://ag-public-ip/app2/ AG
NSG
http://ag-public-ip/ AG Subnet /app1/*

/app2/*
Azure
LB Public IP Application /*
Users App2 VMSS
Gateway LB
+

External Site
stacksimplify.com

© Kalyan Reddy Daida StackSimplify

 Path Based
Routing

Root Context
External
Redirect

Context Path
based Routing

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway – Multisite
Hosting
Resource
Group

Virtual Network
Web Tier Web
Subnet NSG

App1 VMSS
http://app1.terraformguru.com/index.html
http://app1.terraformguru.com/app1/index.html +
AG Subnet app1.terraformguru.com

Azure app2.terraformguru.com
LB Public IP Application
Users AG
NSG Gateway LB App2 VMSS
http://app2.terraformguru.com/index.html
http://app2.terraformguru.com/app2/index.html +

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway – SSL Self-
signed
Resource
Group

Virtual Network
Web Tier Web
Subnet NSG

App1 VMSS

+
Azure
AG Subnet
http://terraformguru.com Application
https://terraformguru.com Gateway LB

Azure
HTTP AG Storage
To SSL
LB Public IP Error Account
Users HTTPs Certs
Pages
Redirect
AG
NSG 502.html 403.html

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway – SSL from Key
Vault
Resource
Group

Virtual Network
Web Tier Web
Subnet NSG

Azure
AG Subnet
http://terraformguru.com Application App1 VMSS
https://terraformguru.com Gateway LB
+
HTTP AG
To SSL
Users
LB Public IP Error
HTTPs Certs
Pages
Redirect Azure
AG Storage
NSG Account

Access SSL Certificate from Key Vault

502.html 403.html
Azure Key User Assigned
Vault Managed Identity

© Kalyan Reddy Daida StackSimplify

 Azure Pipelines – Key Concepts

Pipeline Stages Steps

Step-1: script: List Command: ls -R $

Trigger Stage-1: Build Agent (System.DefaultWorkingDirectory)
Job
Step-2: Task-2: Copy Files to Build Artifact
Stage-2: AA
Directory
Github
Agent
Stage-3: BB Step-3: script: List Command: ls -R $
Job (Build.ArtifactStagingDirectory)

Step-4: Task-3: Publish Artifacts to Azure

Stage-4: CC Job Pipelines

Developer

© Kalyan Reddy Daida StackSimplify

 Azure DevOps – Build Pipeline
Continuous Integration
Pipeline

Copy files (terraform-manifests folder) from

Task-1 System default working Directory to Build
Artifact Directory

Publish Build Artifacts to Azure Pipelines, so

Task-2
that we can use them in Release Pipelines

© Kalyan Reddy Daida StackSimplify

 Developer Github Azure DevOps – Release
1 2 Pipelines
Azure Cloud Azure DevOps
Release Pipelines
QA
Azure Pipelines 5

Stage-1: Publish Artifacts

3 9
Storage Account Dev Staging Prod
for State Files to Release Pipelines 7

4 6 10

8
Resource Group Resource Group Resource Group Resource Group

Virtual Network Virtual Network Virtual Network Virtual Network

Web Subnet Web Subnet Web Subnet Web Subnet
Dev VM QA VM Stage VM Prod VM
Web Web Web Web
NSG NSG NSG NSG
Public IP Public IP Public IP Public IP

© Kalyan Reddy Daida StackSimplify

 Azure IaC DevOps – Release Pipeline

© Kalyan Reddy Daida StackSimplify

 Azure
IaC DevOps
Release Pipelines

© Kalyan Reddy Daida StackSimplify

 Azure IaC DevOps Releases

© Kalyan Reddy Daida StackSimplify

 Azure IaC
DevOps
Environment
TF State Files

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 23
© Kalyan Reddy Daida StackSimplify
 Azure MySQL Single Server
Azure Cloud

Resource
Group

Virtual Network
Web Tier
Subnet
App1 VMSS
VNET Service
+ Endpoint
Web
NSG
MySQL Virtual
Azure Network Rule
AG Subnet
Application
http://terraformguru.com Gateway LB
https://terraformguru.com

Azure
HTTP AG Storage
SSL Azure MySQL
LB Public IP
To Error Account Single Server
Users HTTPs Certs
Pages
Redirect
AG
NSG 502.html 403.html

© Kalyan Reddy Daida StackSimplify

 User Management Web Application
Spring Boot User
Management
Web Application MySQL DB
(Java)

UMS Web App with Create User, List User, UMS Web App DB information can be passed via
Login and Logout Features Environment Variables (DB Name, Port User, Pass)

New users created will be stored in MySQL

UMS Web App Listens on Port 8080
DB

UMS Web App needs MySQL DB to store its We can login with new users created to UMS
users. If connection to DB fails, it cannot start Web App

© Kalyan Reddy Daida StackSimplify

 UMS – Login Screen

© Kalyan Reddy Daida StackSimplify

 UMS – Landing Page Post Login

© Kalyan Reddy Daida StackSimplify

 UMS – List Users Screen

© Kalyan Reddy Daida StackSimplify

 Use a Public Registry module in our TF Build a Local Terraform Module and call it
Configs from Root Module and Test

Demo-1 Demo-3

Terraform
Modules

Demo-2 Demo-4

1. Build a Static Website using Azure

manually using Azure Portal. Publish to Public Terraform Registry and
2. Automate it using Terraform Access it from Public Registry and Test.
Resources

© Kalyan Reddy Daida StackSimplify

 Publish to Public Terraform Registry

Demo 4

Publish to Public Terraform Registry and

Access it from Public Registry and Test.

© Kalyan Reddy Daida StackSimplify

 THANK YOU

© Kalyan Reddy Daida StackSimplify

 Terraform
Courses
© Kalyan Reddy Daida StackSimplify
 AWS Terraform Concepts
Azure

Terraform Real-World
Implementations on AWS & Azure

© Kalyan Reddy Daida StackSimplify

 Terraform
Fundamentals
Pre-requisite Note

© Kalyan Reddy Daida StackSimplify

 Terraform Fundamentals

We are going to learn

Terraform Fundamentals
for 3 hours

This section is common for

both Azure Terraform
Courses

Continue with remaining

Azure – HashiCorp Certified Terraform Associate 70 Demos 60 Demos
Continue with Real-World
Terraform on Azure with IaC DevOps SRE | Real-World 25 Demos 25 Demos
© Kalyan Reddy Daida StackSimplify
 Terraform
Infrastructure as Code
IaC

© Kalyan Reddy Daida StackSimplify

 What is Infrastructure
as Code ?

© Kalyan Reddy Daida StackSimplify

 Traditional Way of Managing
Infrastructure
Admin-1 Admin-1 Admin-2 Admin-2 Admin-2

Documentation

Disaster
Dev QA Staging Production
Recovery

5 Days 5 Days 5 Days 5 Days 5 Days

Total Time: 25 Days

© Kalyan Reddy Daida StackSimplify

 Traditional Way of Managing
Infrastructure
Admin-1 Admin-1 Admin-2 Admin-2 Admin-2

Documentation
(Steps Missing)

Disaster
Dev QA Staging Production
Recovery

Not-in-
No CI Delays Issues Outages
Sync

Many Problems at many places in manual process

© Kalyan Reddy Daida StackSimplify

 Traditional Way of Managing
Admin-1 Admin-1 Infrastructure
Admin-2 Admin-2 Admin-2

Documentation

Disaster
Dev QA Staging Production
Recovery

Disaster
Dev QA Staging Production
Recovery

Admin-3 Admin-3 Admin-4 Admin-4 Admin-4

Documentation

Infrastructure scalability – Workforce need to be increased to meet the timelines

© Kalyan Reddy Daida StackSimplify

 Traditional Way of Managing
Infrastructure
Prod-1 Prod-2 Prod-3 Prod-4 Scale Up

Scale Down
Prod-1 Prod-2

On-Demand Scale-Up and Scale-Down is not an option

© Kalyan Reddy Daida StackSimplify

 5 Days
Manage using IaC with
Github
Terraform
Admin-1
DevOps / CI CD for IaC
Check-In TF Code Triggers Terraform
TF Runs Cloud Scale-Up and Scale-Down On-Demand

Creates Infra

Disaster
Dev QA Staging Production
Recovery

Re-Use
One-Time Quick & Tracked
Template Reliable
Work Fast for Audit
s

Total Time: 25 Days reduced to 5 days, Provisioning environments will be in minutes or seconds

© Kalyan Reddy Daida StackSimplify

 Manage using IaC with Terraform
IaC serves as a very clear reference of what resources we created, and what their settings are. We
Visibility don’t have to navigate to the web console to check the parameters.

If you accidentally change the wrong setting or delete the wrong resource in the web console you
Stability can break things. IaC helps solve this, especially when it is combined with version control, such as
Git.

With IaC we can write it once and then reuse it many times. This means that one well written
Scalability template can be used as the basis for multiple services, in multiple regions around the world,
making it much easier to horizontally scale.

Once again IaC gives you a unified template for how to deploy our architecture. If we create one
Security well secured architecture we can reuse it multiple times, and know that each deployed version is
following the same settings.

Terraform not only creates resources it also maintains the record of what is created in real world
Audit cloud environments using its State files.

© Kalyan Reddy Daida StackSimplify

 Google Trends – Past 5 Years

© Kalyan Reddy Daida StackSimplify

 Google Trends – Past 1 Year

© Kalyan Reddy Daida StackSimplify

 Terraform
Installation

© Kalyan Reddy Daida StackSimplify

 Terraform Installation
Terraform plugin
Terraform CLI Azure CLI VS Code Editor GIT Client
for VS Code

Mac OS

Windows OS

Linux OS

© Kalyan Reddy Daida StackSimplify

 Terraform
Command Basics

© Kalyan Reddy Daida StackSimplify

 Terraform Workflow
1 2 3 4 5

init validate plan apply destroy

terraform init terraform validate terraform plan terraform apply terraform destroy

© Kalyan Reddy Daida StackSimplify

 Terraform Workflow
1 2 3 4 5

init validate plan apply destroy

• Used to Initialize a • Used to apply the
working directory changes required
containing • Validates the • Creates an
to reach the
terraform config terraform execution plan
desired state of the • Used to destroy
files configurations files • Terraform
configuration. the Terraform-
• This is the first in that respective performs a refresh
• By managed
command that directory to ensure and determines
default, apply scan infrastructure
should be run after they are what actions are
s the current • This will ask for
writing a new syntactically valid necessary to
Terraform directory for the confirmation
and internally achieve the desired
configuration configuration and before destroying.
consistent. state specified in
• Downloads applies the
configuration files
Providers changes
appropriately.

© Kalyan Reddy Daida StackSimplify

 Terraform
Language Basics
Theoretical but Very Important

© Kalyan Reddy Daida StackSimplify

 Terraform Language Basics – Files
Terraform Working
Directory
• Code in the Terraform language is
stored in plain text files with the .tf file
extension.
• There is also a JSON-based variant of
the language that is named with
the .tf.json file extension.
• We can call the files containing
terraform code as Terraform
Configuration Files or Terraform
Manifests
Terraform Configuration Files
ending with .tf as extension
© Kalyan Reddy Daida StackSimplify
 Terraform Language Basics – Configuration
Syntax

Blocks

Arguments
HCL – HashiCorp Language Terraform
Identifiers

Comments

© Kalyan Reddy Daida StackSimplify

 Terraform Language Basics – Configuration
Syntax

Block Labels

Block Type
Based on Block
Top Level & Type block labels
Block inside will be 1 or 2
Blocks Example:
Resource – 2
Top Level Blocks: resource, provider Arguments labels
Block Inside Block: provisioners, Variables – 1 label
resource specific blocks like tags
© Kalyan Reddy Daida StackSimplify
 Terraform Language Basics – Configuration
Syntax

Argument
Name Argument
[or] Value
Identifier [or]
Expression

© Kalyan Reddy Daida StackSimplify

 Terraform Language Basics – Configuration
Syntax
Single Line Comments with # or //

Multi-line
comment

© Kalyan Reddy Daida StackSimplify

 Terraform language uses a limited number Terraform
of top-level block types, which Most of Terraform's features are
are blocks that can appear outside of any Top-Level implemented as top-level blocks.
other block in a TF configuration file. Blocks

Terraform Block Input Variables Block Data Sources Block

Providers Block Output Values Block Modules Block

Resources Block Local Values Block

Fundamental Blocks Variable Blocks Calling / Referencing Blocks

© Kalyan Reddy Daida StackSimplify

 Terraform
Fundamental Blocks
Terraform, Provider, Resources

© Kalyan Reddy Daida StackSimplify

 Terraform Basic Blocks

Terraform Provider Resource

Block Block Block

Special block used to configure Each Resource Block describes one

HEART of Terraform
some behaviors or more Infrastructure Objects
Specifying a required Terraform Terraform relies on providers to Resource Syntax:
CLI Version interact with Remote Systems How to declare Resources?
Specifying Provider Declare providers for Terraform Resource Behavior: How Terraform
Requirements & Versions to install providers & use them handles resource declarations?

Configuring a Terraform Provider configurations belong Provisioners: We can configure

Backend (Terraform State) to Root Module Resource post-creation actions

© Kalyan Reddy Daida StackSimplify

 Terraform
Block

© Kalyan Reddy Daida StackSimplify

 Terraform Block
• This block can be called in 3 ways. All means the same.
• Terraform Block
• Terraform Settings Block
• Terraform Configuration Block
• Each terraform block can contain a number of settings related to
Terraform's behavior.
• Within a terraform block, only constant values can be used;
arguments may not refer to named objects such as resources, input
variables, etc, and may not use any of the Terraform language built-in
functions.

© Kalyan Reddy Daida StackSimplify

 Terraform Block from 0.13 onwards

© Kalyan Reddy Daida StackSimplify

 Terraform Block
Required Terraform
Version

Provider Requirements

Terraform Block Terraform Backend

Experimental Language
Features

Passing Metadata to
Providers

© Kalyan Reddy Daida StackSimplify

 Terraform
Providers

© Kalyan Reddy Daida StackSimplify

 Terraform Providers are HEART of Terraform

Providers Every Resource Type (example: Azure Resource Group), is

implemented by a Provider
Without Providers Terraform cannot manage any infrastructure.
Terraform Admin
Providers are distributed separately from Terraform and each
provider has its own release cycles and Version Numbers
Terraform Registry is publicly available which contains many
Local Desktop Terraform Providers for most major Infra Platforms

1
terraform init
Terraform CLI Azure Cloud
rov ider
n lo ad P Terraform Registry
Dow
3 terraform plan 4 terraform apply Azure
Terraform Azure
Provider 5 terraform destroy APIs
Resource Group
2 terraform validate

© Kalyan Reddy Daida StackSimplify

 Terraform
Providers

Provider Requirements Provider Configuration Dependency Lock File

© Kalyan Reddy Daida StackSimplify

 Dependency Lock File

© Kalyan Reddy Daida StackSimplify

 Required Providers
Local Names
Local Names are Module specific and should be unique per-module
Terraform configurations always refer to local name of provider outside
required_provider block
Users of a provider can choose any local name for it (myazure, azure1, azure2).
Recommended way of choosing local name is to use preferred local name of that
provider (For Azure Provider: hashicorp/azurerm, preferred local name is
azurerm)
Source
It is the primary location where we can download the Terraform Provider
Source addresses consist of three parts delimited by slashes (/)
[<HOSTNAME>/]<NAMESPACE>/<TYPE>
registry.terraform.io/hashicorp/azurerm
Registry Name is optional as default is going to be Terraform Public Registry

© Kalyan Reddy Daida StackSimplify

 Terraform Provider
Terraform Registry Registry

Providers registry.terraform.io Modules

Provider Badges These are owned and maintained by HashiCorp

These are owned and maintained by third-party technology

Provider Documentation
partners. HashiCorp has verified the authenticity of the
Provider’s publisher
Community providers are published to the Terraform Registry
by individual maintainers, groups of maintainers, or other
members of the Terraform community.

Archived Providers are Official or Verified Providers that are

no longer maintained by HashiCorp or the community.

© Kalyan Reddy Daida StackSimplify

 Terraform
Multiple Providers

© Kalyan Reddy Daida StackSimplify

 Multiple
Providers
We can define multiple
configurations for the same
provider, and select which one
to use on a per-resource or per-
module basis.

The primary reason for this is to

support multiple regions for a
cloud platform

© Kalyan Reddy Daida StackSimplify

 Multiple We can use the alternate
Providers provider in a resource, data
or module by referencing it as
<PROVIDER NAME>.<ALIAS>

© Kalyan Reddy Daida StackSimplify

 Terraform
Dependency Lock File

© Kalyan Reddy Daida StackSimplify

 Dependency Terraform
New feature added
from Terraform v0.14
Lock File & later

Terraform configuration refers to two different

Providers kinds of external dependency that come from Modules
outside of its own codebase

Version Constraints within the configuration itself determine which versions of dependencies are potentially compatible

Dependency Lock File: After selecting a specific version of each dependency using Version Constraints Terraform
remembers the decisions it made in a dependency lock file so that it can (by default) make the same decisions again in
future.

Location of Lock File: Current Working Directory

Very Important: Lock File currently tracks only Provider Dependencies. For modules continue to use exact version
constraint to ensure that Terraform will always select the same module version.
Checksum Verification: Terraform will also verify that each package it installs matches at least one of the checksums it
previously recorded in the lock file, if any, returning an error if none of the checksums match
© Kalyan Reddy Daida StackSimplify
 Dependency Lock File

© Kalyan Reddy Daida StackSimplify

 Importance of Dependency Lock File
If Terraform did not find a lock file, it would download the latest versions of the providers that fulfill the version
constraints you defined in the required_providers block inside Terraform Settings Block.

If we have lock file, the lock file causes Terraform to always install the same provider version, ensuring that runs across
your team or remote sessions will be consistent.

© Kalyan Reddy Daida StackSimplify

 Terraform
Resources
Introduction

© Kalyan Reddy Daida StackSimplify

 Resource
Terraform
Meta-Argument
Language Basics
count

Resource
Terraform
Meta-Argument
Resource Syntax
depends_on
Terraform
Resources Resource
Terraform
Meta-Argument
Resource Behavior
for_each

Resource
Terraform
Meta-Argument
State
lifecycle

© Kalyan Reddy Daida StackSimplify

 Terraform
Resource Syntax

© Kalyan Reddy Daida StackSimplify

 Terraform Language Basics – Configuration
Syntax

Block Labels

Block Type
Based on Block
Top Level & Type block labels
Block inside will be 1 or 2
Blocks Example:
Resource – 2
Top Level Blocks: resource, provider Arguments labels
Block Inside Block: provisioners, Variables – 1 label
resource specific blocks like tags
© Kalyan Reddy Daida StackSimplify
 Terraform Language Basics – Configuration
Syntax

Argument
Name Argument
[or] Value
Identifier [or]
Expression

© Kalyan Reddy Daida StackSimplify

 Resource
Syntax
Resource Type: It determines the kind of
infrastructure object it manages and what arguments
and other attributes the resource supports.

Resource Local Name: It is used to refer to this

resource from elsewhere in the same Terraform
module, but has no significance outside that module's
scope.
The resource type and name together serve as an
identifier for a given resource and so must be unique
within a module

Meta-Arguments: Can be used with any resource to

change the behavior of resources

Resource Arguments: Will be specific to resource

type. Argument Values can make use of Expressions or
other Terraform Dynamic Language Features

© Kalyan Reddy Daida StackSimplify

 Terraform
Resource Behavior

© Kalyan Reddy Daida StackSimplify

 Resource Behavior
Create resources that exist in the configuration but are not
Create Resource
associated with a real infrastructure object in the state.

Destroy resources that exist in the state but no longer exist

Destroy Resource
in the configuration.
Terraform Resource
Update in-place Update in-place resources whose arguments have
Resources changed.

Destroy and re-create resources whose arguments have

Destroy and re-
changed but which cannot be updated in-place due to
create
remote API limitations.

Terraform State

© Kalyan Reddy Daida StackSimplify

 Terraform
State

© Kalyan Reddy Daida StackSimplify

Terraform Terraform must store state about your managed infrastructure and configuration

State Terraform
This state is used by Terraform to map real world resources to your configuration
(.tf files), keep track of metadata, and to improve performance for large
Admin
infrastructures.
Local Desktop This state is stored by default in a local file named "terraform.tfstate", but it can
also be stored remotely, which works better in a team environment.
1
terraform init Azure Cloud
Terraform CLI
ov id er
n lo ad Pr Terraform Registry Virtual Network Subnet Public IP
Dow
4 terraform apply Azure
Terraform Azure
Provider 5 terraform destroy APIs
Resource Group Network Interface
2 terraform validate
The primary purpose of Terraform state is to store bindings between objects in a
3 terraform plan
remote system and resource instances declared in your configuration.
Terraform State
When Terraform creates a remote object in response to a change of configuration, it will record the
File identity of that remote object against a particular resource instance, and then potentially update or delete
terraform.tfstate that object in response to future configuration changes.

© Kalyan Reddy Daida StackSimplify

 Terraform
State
Desired & Current

© Kalyan Reddy Daida StackSimplify

 Desired & Current Terraform States
Terraform Configuration Files Real World Resources

terraform.tfstate

Desired State Current State

© Kalyan Reddy Daida StackSimplify

 Real-World
Demo 1

Azure
Virtual Network
Subnets
Network Security Group
© Kalyan Reddy Daida StackSimplify
 Azure Virtual Network – 4
Tier Design
Resource Group

Virtual Network

Web Tier Web App Tier App DB Tier DB

Subnet NSG Subnet NSG Subnet NSG

Bastion Bastion
Host Subnet NSG

© Kalyan Reddy Daida StackSimplify

 Azure Virtual Network Topology

© Kalyan Reddy Daida StackSimplify

 Terraform Concepts & Azure
Resources
Terraform Settings Block Terraform Random Resource

Terraform Provider Block Terraform for_each Meta-Argument

Terraform Input Variables Terraform depends_on Meta-Argument

Terraform Local Values Block Terraform Output Values

azurerm_resource_group azurerm_network_security_group

azurerm_virtual_network azurerm_network_security_rule

azurerm_subnet azurerm_subnet_network_security_group_association

© Kalyan Reddy Daida StackSimplify

 What are we going to Learn
?
Terraform Input Variables

Terraform Local Values

Azure Virtual Network with Subnets
and Network Security Groups

Virtual Network 4-Tier

Design

Terraform Output Values

Terraform Meta-Arguments
(for_each and depends_on)
Terraform Variable – terraform.tfvars

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 1
© Kalyan Reddy Daida StackSimplify
 Input variables serve as parameters for a Terraform module, allowing aspects of the module to be customized without
altering the module's own source code, and allowing modules to be shared between different configurations.
Input Variables - Basics
Provide Input Variables when prompted
during terraform plan or apply
Override default variable values using
CLI argument -var
Override default variable values using
Environment Variables (TF_var_aa)
Provide Input Variables using
terraform.tfvars files
Input Variables using
Structural Type: Object
© Kalyan Reddy Daida
Provide Input Variables using <any-
1 6 name>.tfvars file with CLI
14 Demos argument -var-file
7 Provide Input Variables using
2
somefilename.auto.tfvars files
Terraform Implement complex type constructors
8
3
Input like List & Map in Input Variables
Variables Implement Custom Validation Rules in
4 9
Variables
5 10 Protect Sensitive Input Variables
13
Input Variables using Input Variables using
11 12
Collection Type: set Structural Type: tuple
StackSimplify
 Terraform Variables – Output Values
Output values are like the return values of a Terraform module and have several uses

1 2
A root module can use A child module can use
outputs to print certain
Terraform outputs to expose a
values in the CLI output Variables subset of its resource
after running terraform Outputs attributes to a parent
apply. module.

When using remote state,

root module outputs can be
accessed by other
Advanced
configurations via
a terraform_remote_state da
ta source.
3

© Kalyan Reddy Daida StackSimplify

 Output Values – 3 Demos

Demo-1 Demo-2 Demo-3

Count and
for_each and
Basics Splat
for loops
Expression

Over the process master the for loops in Terraform with Lists and
Maps
© Kalyan Reddy Daida StackSimplify
 Terraform Variables – Local
Values
A local value assigns a name to an expression, so you can use that
name multiple times within a module without repeating it.

Local values are like a function's temporary local variables.

Once a local value is declared, you can reference it

in expressions as local.<NAME>.
Local values can be helpful to avoid repeating the same
values or expressions multiple times in a configuration
If overused they can also make a configuration hard to read
by future maintainers by hiding the actual values used
The ability to easily change the value in a central place is the
key advantage of local values.

In short, Use local values only in

moderation

© Kalyan Reddy Daida StackSimplify

 Resource Meta-Arguments –
depends_on
Use the depends_on meta-argument to
handle hidden resource or module
dependencies that Terraform can't
automatically infer.
Explicitly specifying a dependency is only
necessary when a resource or module relies on
some other resource's behavior
but doesn't access any of that resource's data
in its arguments.
This argument is available in module blocks
and in all resource blocks, regardless of
resource type.
© Kalyan Reddy Daida
The depends_on meta-argument, if
present, must be a list of references to
other resources or child modules in the
same calling module.
Resource Arbitrary expressions are not allowed in
Meta-Argument the depends_on argument value,
because its value must be known before
depends_on Terraform knows resource relationships
and thus before it can safely evaluate
expressions.
The depends_on argument should be
used only as a last resort. Add
comments for future reference about
why we added this.
StackSimplify
 Resource Meta-Arguments –
If a resource or module block includes
for_each
For set of Strings, each.key = each.value
a for_each argument whose value is a map
A given resource or module for_each = toset( ["Jack", "James"] )
or a set of strings, Terraform will create one
block cannot use each.key = Jack
instance for each member of that map or
both count and for_each each.key = James
set.

For Maps, we use each.key & each.value

Each instance has a distinct infrastructure Resource for_each = {
object associated with it, and each is
separately created, updated, or destroyed Meta-Argument dev = ”myapp1"
}
when the configuration is applied. for_each each.key = dev
each.value = myapp1

In blocks where for_each is set, an additional each object is available in for_each with Maps
expressions, so you can modify the configuration of each instance.
each.key — The map key (or set member) corresponding to this instance. for_each with Set of Strings
each.value — The map value corresponding to this instance. (If a set was for_each Chaining
provided, this is the same as each.key.)

© Kalyan Reddy Daida StackSimplify

 Real-World
Demo 2
Azure
Virtual Machines
Linux

© Kalyan Reddy Daida StackSimplify

 Azure Linux Virtual
Machine
Resource Group

Virtual Network

Web Tier Web

Subnet NSG
Web VM-1
Port 80, 22
App Tier App
User Web Linux VM NIC VM Disk Subnet NSG
Public IP

DB Tier DB
VM NSG (Optional) Subnet NSG

Bastion Bastion
Host Subnet NSG

© Kalyan Reddy Daida StackSimplify

 Azure Resources and Topology
azurerm_public_ip

azurerm_network_interface

azurerm_linux_virtual_machine

Azure Disk (automatically

gets created)

azurerm_network_security_group Terraform file() Function

azurerm_network_security_rule Terraform filebase64() function
azurerm_network_interface_security_group_association
Terraform base64encode() function
© Kalyan Reddy Daida StackSimplify
 Terraform
Configs
VM Custom Data Script to Bootstrap
Apache Webserver

SSH Keys to Connect to Linux VM

Azure 4-Tier Virtual Network

Azure Linux VM with Public IP and

Network Interface in Web Subnet

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 2
© Kalyan Reddy Daida StackSimplify
 Real-World
Demo 3
Azure
Bastion Host Service
and
Bastion Host Linux VM
© Kalyan Reddy Daida StackSimplify
 Azure Bastion Host Linux VM &
Bastion Service
Resource
Group Virtual Network

Bastion Host Bastion

Subnet NSG
SSH Client – Putty / Terminal Bastion VM-1 Web Tier Web
Port 22
Subnet NSG

Disk Web VM-1

Bastion Host NIC VM
Linux VM Public IP

NIC VM Disk
Admin
User
App Tier App
Bastion Service Subnet NSG
Subnet
SSL Port 443
DB Tier DB
Subnet NSG
Bastion Service
Browser Azure Bastion Service
Public IP

© Kalyan Reddy Daida StackSimplify

 Azure
Bastion Service

© Kalyan Reddy Daida StackSimplify

 Option-1: Azure Bastion Host Linux VM Azure Resources
azurerm_public_ip

azurerm_network_interface

azurerm_linux_virtual_machine Option-2: Azure Bastion Service

azurerm_public_ip
Azure Disk (automatically
gets created)
azurerm_subnet Dedicated Subnet for
Azure Bastion Service
azurerm_network_security_group Optional
azurerm_network_security_rule azurerm_bastion_host
azurerm_network_interface_security_group_association

© Kalyan Reddy Daida StackSimplify

 Azure Bastion Options - Topology

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs
Azure 4-Tier Virtual Network

Azure Linux VM with Public IP and

Network Interface in Web Subnet

Azure Bastion Host Linux VM in Bastion

Subnet

Azure Bastion Service in

AzureBastionSubnet

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 3
© Kalyan Reddy Daida StackSimplify
 Terraform Provisioners
Provisioners can be used to model specific actions on the local machine or on a remote
machine in order to prepare servers

Passing data into virtual machines

Provisioners are a Last Resort
and other compute resources
Running configuration management First-class Terraform provider
software (packer, chef, ansible) functionality may be available

Creation-Time Provisioners Destroy-Time Provisioners

Failure Behaviour: Continue: Ignore Failure Behaviour: Fail: Raise an error and
the error and continue with creation stop applying (the default behavior). If
or destruction. creation provisioner, taint resource

© Kalyan Reddy Daida StackSimplify

 Types of Provisioners
File Provisioner

Provisioner Types remote-exec Provisioner

local-exec Provisioner

Terraform Null Resource

© Kalyan Reddy Daida StackSimplify
 Terraform Terraform New Concepts
Null Resource Introduced

Terraform
Connect to Azure Bastion Host VM from Terraform CLI
Connection
Terminal
Block

Terraform File
Push terraform-azure.pem to Bastion Host VM
Provisioner

Terraform
Provide permissions chmod 400 to terraform-azure.pem
remote-exec
after copied to Bastion Host VM
Provisioner

© Kalyan Reddy Daida StackSimplify

 • File Provisioner is used to copy files or directories from the
machine executing Terraform to the newly created resource.
File Provisioner
• The file provisioner supports both ssh and winrm type of
connections

© Kalyan Reddy Daida StackSimplify

 remote-exec Provisioner
• The remote-exec provisioner invokes a script on a remote
remote-exec resource after it is created.
Provisioner • This can be used to run a configuration management tool,
bootstrap into a cluster, etc.

© Kalyan Reddy Daida StackSimplify

 Connection Block
Most provisioners require access to the remote resource via SSH or
WinRM, and expect a nested connection block with details about
Connection how to connect.
Block
Expressions in connection blocks cannot refer to their parent
resource by name. Instead, they can use the special self object.

© Kalyan Reddy Daida StackSimplify

 Terraform Null Resource
If you need to run provisioners that aren't directly associated with a specific resource,
you can associate them with a null_resource.

Instances of null_resource are treated like normal resources, but they don't do
anything.

Same as other resource, you can configure provisioners and connection details on
a null_resource.

© Kalyan Reddy Daida StackSimplify

 local-exec Provisioner
local-exec • The local-exec provisioner invokes a local executable after a resource is created.
Provisioner • This invokes a process on the machine running Terraform, not on the resource.

Creation Time Provisioner (by default) Destroy Time Provisioner (when = destroy)

© Kalyan Reddy Daida StackSimplify

 Real-World
Demo 4
Azure
Standard
Load Balancer
(using Portal)
© Kalyan Reddy Daida StackSimplify
 Azure Standard Load Balancer
Resource
Group Virtual Network

Web Tier
Subnet

Web VM-1
Admin Port 22

SSH Port 1022 NIC VM Disk

Web VM-2
Port 22
Inbound NAT
SSH Port 2022 Rules
NIC VM Disk

Port 80 LB Azure Standard

Public IP Load Balancer

Users

© Kalyan Reddy Daida StackSimplify

 Load Balancer Real-World Virtual Machines

Demo 5
Azure
Standard
Load Balancer

© Kalyan Reddy Daida StackSimplify

 Azure Standard Load Balancer –
Internet Facing
Resource
Group Virtual Network

Bastion Host Bastion

Subnet NSG
Port 22
Bastion VM-1
SSH Client – Putty / Terminal
Bastion Host
Linux VM Public IP
NIC VM Disk

Port 22

Web Tier Web

Subnet NSG App Tier App
Subnet NSG
Web VM-1
Port 80
DB Tier DB
NIC VM Disk Subnet NSG
LB Azure Standard
Users
Public IP Load Balancer

© Kalyan Reddy Daida StackSimplify

 Azure Resources - Internet Facing
azurerm_public_ip
azurerm_lb

azurerm_lb_backend_address_pool

Azure Standard Load Balancer azurerm_lb_probe

azurerm_lb_rule

azurerm_network_interface_backen
d_address_pool_association

© Kalyan Reddy Daida StackSimplify

 Azure Load Balancer - Topology

© Kalyan Reddy Daida StackSimplify

 Azure Load Balancer – Topology

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs
Azure Virtual Network with Subnets and
Network Security Groups

Azure Virtual Machines + Network

Interface + Public IP

Azure Bastion Host Linux VM – Enabled

Azure Bastion Service - Disabled

Azure Standard Load Balancer - Web

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 5
© Kalyan Reddy Daida StackSimplify
 Load Balancer
Real-World Virtual Machines

Demo 6

Azure
Standard
Load Balancer
Inbound NAT Rules
© Kalyan Reddy Daida StackSimplify
 Azure Standard Load Balancer – Inbound NAT
Rules
SSH Client – Putty / Resource
Terminal Group Virtual Network

Bastion Host Bastion

Port 22 Subnet NSG
Bastion VM-1

Bastion Host NIC VM Disk

Admin Linux VM Public IP
Port 22

SSH Port 1022

Web Tier Web
Inbound NAT Subnet NSG App Tier App
Rules Subnet NSG
Web VM-1
Port 22
Port 80
DB Tier DB
NIC VM Disk Subnet NSG
Users LB Azure Standard
Public IP Load Balancer

© Kalyan Reddy Daida StackSimplify

 Azure Resources
azurerm_lb
azurerm_public_ip

azurerm_lb_backend_address_pool

Azure Standard Load Balancer azurerm_lb_probe

azurerm_lb_rule

azurerm_network_interface_backen
d_address_pool_association

azurerm_network_interface_nat_rul
azurerm_lb_nat_rule
e_association
© Kalyan Reddy Daida StackSimplify
 Azure Load Balancer – Inbound NAT Rules Topology

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs
Azure Virtual Network with Subnets and
Network Security Groups

Azure Virtual Machines + Network

Interface + Public IP

Azure Bastion Host Linux VM – Enabled

Azure Bastion Service - Disabled

Azure Standard Load Balancer – Web +

Inbound NAT Rules

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 6
© Kalyan Reddy Daida StackSimplify
 Virtual Machines
Load Balancer
Real-World
Demo 7
Azure
Multiple VMs
Meta-Argument Count
© Kalyan Reddy Daida StackSimplify
 Resource Meta-Arguments
depends_on

count

Terraform Meta- for_each

Resources Arguments

provider
Meta-Arguments can be
used with any resource
type to change the lifecycle
behavior of resources.
Provisioners &
Connections
© Kalyan Reddy Daida StackSimplify
 Practical Example with Step-by-Step
Documentation on Github
9 Demos for 2 Hour 30 Minutes
Meta-Arguments

© Kalyan Reddy Daida StackSimplify

 Resource Meta-Arguments
To handle hidden resource or module dependencies that Terraform can't automatically
depends_on infer.

count For creating multiple resource instances according to a count

for_each To create multiple instances according to a map, or set of strings

provider For selecting a non-default provider configuration

Standard Resource behavior can be altered using special nested lifecycle block within a
lifecycle resource block body

Provisioners & For taking extra actions after resource creation (Example: install some app on server or do
Connections something on local desktop after resource is created at remote destination)

© Kalyan Reddy Daida StackSimplify

 Azure Standard Load Balancer – Meta-
Argument Count
Resource
Group Virtual Network

Web Tier Web

Subnet NSG
Port 22 Web VM-1
Meta-Argument
Count
NIC VM Disk

Admin Port 22 Web VM-2

SSH Port 1022,
SSH Port 2022,
SSH port 3022 NIC VM Disk
Inbound NAT App Tier App
Rules Web VM-3 Subnet NSG
Port 22
Port 80
DB Tier DB
NIC VM Disk NSG
LB Subnet
Users Azure Standard
Public IP Load Balancer

© Kalyan Reddy Daida StackSimplify

 Meta-Argument Count – Input Variable

© Kalyan Reddy Daida StackSimplify

 Meta-Argument Count – Network Interface

© Kalyan Reddy Daida StackSimplify

 Meta-Argument Count – Virtual Machine

© Kalyan Reddy Daida StackSimplify

 Meta-Argument Count – LB Backend Address
Pool

© Kalyan Reddy Daida StackSimplify

 Meta-Argument Count – LB NAT Rule

© Kalyan Reddy Daida StackSimplify

 Meta-Argument Count – LB NAT Rule & NIC
Association

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs
Azure Virtual Network with Subnets and
Network Security Groups

Azure Virtual Machines + Network

Interface + Public IP

Azure Bastion Host Linux VM – Enabled

Azure Bastion Service - Disabled

Azure Standard Load Balancer – Web +

Inbound NAT Rules

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 7
© Kalyan Reddy Daida StackSimplify
 Virtual Machines
Load Balancer
Real-World
Demo 8

Azure
Multiple VMs
Meta-Argument for_each
© Kalyan Reddy Daida StackSimplify
 Azure Standard Load Balancer – Meta-
Argument for_each
Resource
Group Virtual Network

Web Tier Web

Subnet NSG
Port 22 Web VM-1
Meta-Argument
NIC VM Disk for_each
Admin Port 22 Web VM-2
SSH Port 1022,
SSH Port 2022,
SSH port 3022 NIC VM Disk
Inbound NAT App Tier App
Rules Web VM-3 Subnet NSG
Port 22
Port 80
DB Tier DB
NIC VM Disk NSG
LB Subnet
Users Azure Standard
Public IP Load Balancer

© Kalyan Reddy Daida StackSimplify

 Meta-Argument for_each – Input
Variable

© Kalyan Reddy Daida StackSimplify

 Meta-Argument for_each – Network
Interface

© Kalyan Reddy Daida StackSimplify

 Meta-Argument for_each – Virtual
Machine

© Kalyan Reddy Daida StackSimplify

 Meta-Argument for_each – LB Backend Pool

© Kalyan Reddy Daida StackSimplify

 Meta-Argument for_each – Inbound NAT Rules

© Kalyan Reddy Daida StackSimplify

 Terraform – For Loops using Outputs

© Kalyan Reddy Daida StackSimplify

 Terraform – For Loops using Outputs

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs
Azure Virtual Network with Subnets and
Network Security Groups

Azure Virtual Machines + Network

Interface + Public IP

Azure Bastion Host Linux VM – Enabled

Azure Bastion Service - Disabled

Azure Standard Load Balancer – Web +

Inbound NAT Rules

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 8
© Kalyan Reddy Daida StackSimplify
 Load Balancer
Real-World VM
Demo 9 Scale Sets

Azure
Virtual Machine
Scale Sets
Manual Scaling
External LB
© Kalyan Reddy Daida StackSimplify
 Azure Standard Load Balancer – VMSS
Manual Scaling
Resource
SSH Client – Putty / Group
Terminal
Virtual Network

Bastion Host Bastion

Port 22 Subnet NSG
Bastion VM-1

VMSS
Bastion Host NIC VM Disk
Linux VM Public IP Manual Scaling
Port 22

Web Tier Web

Subnet NSG App Tier App
Subnet NSG
Web VMSS
Port 80
DB Tier DB
LB Azure Standard Web Subnet NSG
Users VMSS NSG
Public IP Load Balancer

© Kalyan Reddy Daida StackSimplify

 LB Topology

© Kalyan Reddy Daida StackSimplify

 VMSS Manual - Topology

© Kalyan Reddy Daida StackSimplify

 Terraform
Dynamic Blocks
for
VMSS
Network Security Group

© Kalyan Reddy Daida StackSimplify

 VMSS Resource – Associate Load
Balancer

Not needed
when using
VMSS

© Kalyan Reddy Daida StackSimplify

 Terraform Configs
Azure Virtual Network with Subnets and
Network Security Groups

Azure Virtual Machine Scale Sets with

Manual Scaling + Terraform Dynamic
Blocks for VMSS NSG

Azure Bastion Host Linux VM – Enabled

Azure Bastion Service - Disabled

Azure Standard Load Balancer – Web +

Inbound NAT Rules

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 9
© Kalyan Reddy Daida StackSimplify
 Load Balancer VM
Real-World Scale Sets

Demo 10
Azure
Virtual Machine
Scale Sets Autoscaling
External LB
© Kalyan Reddy Daida StackSimplify
 Azure Standard Load Balancer + VMSS
Auto Scaling
Resource
SSH Client – Putty / Group
Terminal
Virtual Network

Bastion Host Bastion

Port 22 Subnet NSG
Bastion VM-1

VMSS
NIC VM Disk
Bastion Host
Linux VM Public IP Autoscaling
Port 22

Web Tier Web

Subnet NSG App Tier App
Subnet NSG
Web VMSS
Port 80
DB Tier DB
LB Azure Standard Web Subnet NSG
Users VMSS NSG
Public IP Load Balancer

© Kalyan Reddy Daida StackSimplify

 Azure VMSS - Autoscaling
Autoscaling Autoscaling Autoscaling
Default Recurrence Fixed Profiles
Profile Profile
Recur on those days with Executes on that specific
Mandatory Profile
start time specified day
Defaults to round the clock Week Day and Weekend
schedule profiles
Will not execute if Fixed profile takes priority 1
Recurrence or Fixed Profile Business Hour and Non- for execution on that day if
exists Business Hour profile exists

P3 P2 P1

Priority Execution Order for Autoscaling Profiles

© Kalyan Reddy Daida StackSimplify

 LB Topology

© Kalyan Reddy Daida StackSimplify

 VMSS Manual - Topology

© Kalyan Reddy Daida StackSimplify

 Autoscaling – Default Profile

© Kalyan Reddy Daida StackSimplify

 Autoscaling Default Profile

Scale Out

Scale In

Default
Profile
© Kalyan Reddy Daida StackSimplify
 Autoscaling – What happens to default profile when other profiles
present ?

© Kalyan Reddy Daida StackSimplify

 Autoscaling
Recurrence Profile Week Days

Recurrence
Week Days

© Kalyan Reddy Daida StackSimplify

 Autoscaling
Recurrence Profile
Weekends

Recurrence
Weekends

© Kalyan Reddy Daida StackSimplify

 Autoscaling
Fixed Profile

Fixed Date
Profile

© Kalyan Reddy Daida StackSimplify

 Autoscaling Run History

© Kalyan Reddy Daida StackSimplify

 Autoscaling Events – Activity Log

© Kalyan Reddy Daida StackSimplify

 Azure Autoscaling Resource – VMSS, App
Services

© Kalyan Reddy Daida StackSimplify

 Terraform Configs
Azure Virtual Network with Subnets and
Network Security Groups

Azure Virtual Machine Scale Sets with

Autoscaling + Terraform Dynamic Blocks
for VMSS NSG

Azure Bastion Host Linux VM – Enabled

Azure Bastion Service - Disabled

Azure Standard Load Balancer - Web

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 10
© Kalyan Reddy Daida StackSimplify
 Real-World
Demo 11
Azure
Standard
Load Balancer
External and Internal LB
© Kalyan Reddy Daida StackSimplify
 Azure - External LB + Web VMSS + Internet
Internal LB + App VMSS
Resource NAT Gateway
Group Public IP

Virtual Network
NAT Gateway

Web Tier Web App Tier App

Subnet NSG Subnet NSG

Web VMSS App VMSS

Port 80

Users LB Azure Standard Internal

Public IP Load Balancer LB
Web App
VMSS NSG VMSS NSG

DB Tier DB
Subnet NSG
Storage
Account Download app1.conf from Storage Container to Web VMSS Apache

© Kalyan Reddy Daida StackSimplify

 Azure - External LB + Web VMSS + Internet
Internal LB + App VMSS
Resource NAT Gateway
SSH Client – Putty / Group Public IP
Terminal
Virtual Network
NAT Gateway
Bastion Host Bastion
Port 22 Subnet NSG
Bastion VM-1
Storage
Account App Tier App
NIC VM Disk Subnet NSG
Bastion Host Port 22
Linux VM Public IP App VMSS

Port 22
App VMSS NSG
Web Tier Web
Subnet NSG
Internal
Web VMSS LB
Port 80
DB Tier DB
LB Azure Standard Web Subnet NSG
Users VMSS NSG
Public IP Load Balancer
Download app1.conf from Storage Container to Apache

© Kalyan Reddy Daida StackSimplify

 Azure Resources for Internal LB

azurerm_lb

azurerm_lb_backend_address_pool

Azure Standard Load Balancer azurerm_lb_probe

azurerm_lb_rule
Internal LB is
No Public IP
for Internal LB
created in azurerm_network_interface_backen
App Subnet d_address_pool_association

© Kalyan Reddy Daida StackSimplify

 Azure Resources
azurerm_public_ip for NAT Gateway

azurerm_nat_gateway

azurerm_nat_gateway_public_ip_association In addition to
NAT App VM and App Load
Gateway azurerm_subnet_nat_gateway_association Balancer these
Resources are also
required
azurerm_storage_account

azurerm_storage_container
Storage
Account azurerm_storage_blob

© Kalyan Reddy Daida StackSimplify

 Azure Load Balancer – External LB and Internal LB

External LB

Internal LB

© Kalyan Reddy Daida StackSimplify

 Azure Resources - Topology

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs
Azure Virtual Network with Subnets and
Network Security Groups

Azure Virtual Machine Scale Set with Auto

Scaling Profile - Web Tier

Azure Bastion Host Linux VM – Enabled

Azure Bastion Service - Disabled

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs
Azure Standard Load Balancer – External
Internet facing for Web Tier VMSS Load
Balancing

Azure Storage Account – Httpd conf

Deployment

Azure NAT Gateway – Outbound

communication for App VMSS

Azure Virtual Machine Scale Set with Auto

Scaling Profile - App Tier

Azure Standard Load Balancer – Internal

for App Tier VMSS Load Balancing

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 11
© Kalyan Reddy Daida StackSimplify
 Real-World
Azure
Load Balancer Demo 12 VM
Scale Sets

Azure
Private DNS Zones

© Kalyan Reddy Daida StackSimplify

 Azure - Private DNS Internet
Zones
Resource Private DNS Zone NAT Gateway
Group terraformguru.com Public IP

Virtual Network
applb.terraformguru.com NAT Gateway

Web Tier Web App Tier App

Subnet NSG Subnet NSG

Web VMSS App VMSS

Port 80

Users LB Azure Standard Internal

Public IP Load Balancer LB
Web App
VMSS NSG VMSS NSG

DB Tier DB
Subnet NSG
Storage
Account Download app1.conf from Storage Container to Web VMSS Apache

© Kalyan Reddy Daida StackSimplify

 Azure - Private applb.terraformguru.com Internet
DNS Zones
Resource Private DNS Zone NAT Gateway
Group terraformguru.com Public IP
SSH Client – Putty /
Terminal
Virtual Network
NAT Gateway
Bastion Host Bastion
Port 22 Subnet NSG
Bastion VM-1
Storage
Account App Tier App
NIC VM Disk Subnet NSG
Bastion Host
Linux VM Public IP App VMSS
Port 22

Web Tier Web

Subnet NSG

Web VMSS Internal LB

Port 80
DB Tier DB
LB Azure Standard Subnet NSG
Users
Public IP Load Balancer
Download app1.conf from Storage Container to Apache

© Kalyan Reddy Daida StackSimplify

 Azure Resources

azurerm_private_dns_zone

azurerm_private_dns_zone_virtual_network_link

Azure azurerm_private_dns_a_record for App LB

Private DNS
Zone

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs
Azure Virtual Network with Subnets and
Network Security Groups

Azure Virtual Machine Scale Set with Auto

Scaling Profile - Web Tier

Azure Bastion Host Linux VM – Enabled

Azure Bastion Service - Disabled

© Kalyan Reddy Daida StackSimplify

 Terraform Configs
Azure Standard Load Balancer – External
(Web Tier Load Balancer)

Azure Storage Account – Deploy httpd conf

Azure NAT Gateway – Outbound

communication for App VMSS
Azure Virtual Machine Scale Set with Auto
Scaling Profile - App Tier
Azure Standard Load Balancer – Internal
(App Tier Load Balancer)

Azure Private DNS Zone for App Tier Load

Balancer internal DNS Name in VNET

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 12
© Kalyan Reddy Daida StackSimplify
 Real-World
Demo 13

Azure
Delegate DNS Domain
To
Azure Public DNS Zone
© Kalyan Reddy Daida StackSimplify
 Azure
Real-World
VM
Load Balancer
Demo 14 Scale Sets

Azure
Public DNS Zones

© Kalyan Reddy Daida StackSimplify

 Azure - Public DNS Internet
Zones
Resource Private DNS Zone NAT Gateway
Group terraformguru.com Public IP

Resource Virtual Network

Group DNS Records
kubeoncloud.com applb.terraformguru.com NAT Gateway
www.kubeoncloud.com
app1.kubeoncloud.com

Public DNS Zone

kubeoncloud.com Web Tier Web App Tier App
Subnet NSG Subnet NSG

Web VMSS App VMSS

Port 80

Users LB Azure Standard Internal

Public IP Load Balancer LB
http://kubeoncloud.com
http://www.kubeoncloud.com Web App
http://app1.kubeoncloud.com VMSS NSG VMSS NSG

DB Tier DB
Subnet NSG
Storage
Account Download app1.conf from Storage Container to Web VMSS Apache

© Kalyan Reddy Daida StackSimplify

 Azure - Public DNS Zone Internet

Resource Private DNS Zone NAT Gateway

SSH Client – Putty / Group Public IP
Terminal
Virtual Network
NAT Gateway
Bastion Host Bastion
Port 22 Subnet NSG
Bastion VM-1
Storage
Account App Tier App
NIC VM Disk Subnet NSG
Bastion Host
Linux VM Public IP App VMSS
Port 22
Resource
Group
App VMSS NSG
Web Tier Web
Subnet NSG
Internal
Web VMSS LB
Public DNS Zone

DB Tier DB
app1.kubeoncloud.com LB Web Subnet NSG
Azure Standard
Public IP Load Balancer VMSS NSG
Users Download app1.conf from Storage Container to Apache

© Kalyan Reddy Daida StackSimplify

 Azure Resources

Datasource: azurerm_dns_zone

azurerm_dns_a_record – Root Record: kubeoncloud.com

azurerm_dns_a_record – www Record: www.kubeoncloud.com

Azure
Public DNS azurerm_dns_a_record – app1 Record: app1.kubeoncloud.com
Zone

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs
Azure Virtual Network with Subnets and
Network Security Groups

Azure Virtual Machine Scale Set with Auto

Scaling Profile - Web Tier

Azure Bastion Host Linux VM – Enabled

Azure Bastion Service - Disabled

© Kalyan Reddy Daida StackSimplify

 Terraform Azure Standard Load Balancer – External
Configs (Web Tier Load Balancer)

Azure Storage Account – Deploy httpd conf

Azure NAT Gateway – Outbound

communication for App VMSS
Azure Virtual Machine Scale Set with Auto
Scaling Profile - App Tier
Azure Standard Load Balancer – Internal
(App Tier Load Balancer)

Azure Private DNS Zone for App Tier Load

Balancer internal DNS Name in VNET

Azure Public DNS Zone – Access Applications

via Internet using Registered Domain

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 14
© Kalyan Reddy Daida StackSimplify
 Real-World
Demo 15

Terraform
Azure VM
Load Balancer Scale Sets

Backend
Remote State Storage
with
Azure Storage Account
© Kalyan Reddy Daida StackSimplify
 What is Terraform Backend ?
Backends are responsible for storing state and providing an API for state locking.

Terraform Terraform
State Storage State Locking

Azure Storage Account

© Kalyan Reddy Daida StackSimplify

 Remote State
Local State File File
Admin1 Admin2 Admin3 Multiple Team members Using Terraform Admin1 Admin2 Admin3
cannot update the Backend concept we
infrastructure as they can use Azure SA as
don’t have access to State the shared storage for Admin1 Admin2 Admin3
File State Files Desktop Desktop Desktop

This means we need If two team members

store the state file in a are running Terraform
shared location. at the same time, you
may run into race
Admin1 conditions as multiple Azure
terraform.tfstate terraform.tfstate
Desktop
Terraform processes Storage Account
make concurrent
updates to the state
files, leading to
Azure VM conflicts, data loss, and
Azure VM
Instance state file corruption.
Instance
Azure Cloud State Locking Azure Cloud

© Kalyan Reddy Daida StackSimplify

 Terraform Remote State File with State Locking
Admin1 Admin2 Admin3 Not all backends support State Locking. Azure Storage Account
supports State Locking
State locking happens automatically on all operations that
Admin1 Admin2 Admin3 could write state.
Desktop Desktop Desktop

If state locking fails, Terraform will not continue.

You can disable state locking for most commands with the -
lock flag but it is not recommended.
If acquiring the lock is taking longer than expected, Terraform
Azure Storage Account terraform.tfstate
will output a status message.
If Terraform doesn't output a message, state locking is still
occurring if your backend supports it.
Terraform has a force-unlock command to manually unlock
Azure VM
the state if unlocking failed.
Instance
Azure Cloud
© Kalyan Reddy Daida StackSimplify
 Terraform Remote
State File with
State Locking

Terraform Remote State

Storage

© Kalyan Reddy Daida StackSimplify

 Terraform Configs - Project 1

Terraform Remote Backends – Azure

Storage Account

Azure Virtual Network with Subnets and

Network Security Groups

Azure Virtual Machine Scale Set with Auto

Scaling Profile

Azure Bastion Host Linux VM – Disabled

Azure Bastion Service - Disabled

Azure Standard Load Balancer

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 15
© Kalyan Reddy Daida StackSimplify
 Terraform
Backends

© Kalyan Reddy Daida StackSimplify

 Terraform Backends
Each Terraform configuration can specify a backend, which defines where and how
operations are performed, where state snapshots are stored, etc.

Where Backends are Used Backend configuration is only used by Terraform CLI.

Terraform Cloud and Terraform Enterprise always use

their own state storage when performing Terraform
runs, so they ignore any backend block in the
configuration.
For Terraform Cloud users also it is always
recommended to use backend block in Terraform
configuration for commands like terraform taint
which can be executed only using Terraform CLI
© Kalyan Reddy Daida StackSimplify
 Terraform Backends
What Backends Do There are two things backends will be used for
1. Where state is stored
2. Where operations are performed.

Store State State Locking Operations

Terraform uses persistent state data
to keep track of the resources it
manages.
Everyone working with a given
collection of infrastructure
resources must be able to access
the same state data (shared state
storage).
State Locking is to prevent conflicts
and inconsistencies when the
operations are being performed
What are Operations ?
terraform apply
terraform destroy
"Operations" refers to performing
API requests against infrastructure
services in order to create, read,
update, or destroy resources.
Not every terraform subcommand
performs API operations; many of
them only operate on state data.
Only two backends actually perform
operations: local and remote.
The remote backend can perform API
operations remotely, using Terraform
Cloud or Terraform Enterprise.

© Kalyan Reddy Daida StackSimplify

 Terraform Backends
Backend
Types
Enhanced Backends Standard Backends
Enhanced backends can both store
Standard backends only store state,
state and perform operations. There
and rely on the local backend for
are only two enhanced
performing operations.
backends: local and remote
Example for Remote Backend
Example: AWS S3, Azure RM, Consul,
Performing Operations : Terraform
etcd, gcs http and many more
Cloud, Terraform Enterprise
© Kalyan Reddy Daida StackSimplify
 Azure Azure Real-World VM
Load Balancer Traffic Manager
Demo 16 Scale Sets

Azure
Traffic Manager
Terraform
Remote State Datasource
© Kalyan Reddy Daida StackSimplify
 Terraform Remote State
Project-1: eastus2
Datasource
Azure VNET + LB
+ VMSS
Project-3: eastus2
project-1-terraform.tfstate

Azure Traffic
terraform_remote_state
Manager
data source
Project-2: westus2
project-3-terraform.tfstate
Azure VNET + LB
The terraform_remote_state data source retrieves
+ VMSS
the root module output values from some other
Terraform configuration, using the latest state
project-2-terraform.tfstate snapshot from the remote backend.

© Kalyan Reddy Daida StackSimplify

 Azure – Traffic Resource
Manager Group Virtual Network

Web Tier Web

Region: eastus2 Subnet NSG

Web VMSS

Web
LB Azure Standard VMSS NSG
Resource Group Public IP Load Balancer

mytfdemo-wquift.trafficmanager.net

Resource
Group Virtual Network
Users Azure Traffic Manager
Web Tier
Region: westus2 Subnet
Web
Region: eastus2 NSG

Web VMSS

Web
LB Azure Standard VMSS NSG
Public IP Load Balancer

© Kalyan Reddy Daida StackSimplify

 Traffic Manager Endpoints

© Kalyan Reddy Daida StackSimplify

 Terraform Backend – Three Projects

Project-1 Terraform State File

Project-2 Terraform State File

Project-3 Terraform State File

© Kalyan Reddy Daida StackSimplify

 Terraform Configs - Project 1 and 2

Project-1 Region: eastus2

Project-2 Region: westus2

Azure Virtual Network with Subnets and

Network Security Groups

Azure Virtual Machine Scale Set with Auto

Scaling Profile

Azure Bastion Host Linux VM – Disabled

Azure Bastion Service - Disabled

Azure Standard Load Balancer

© Kalyan Reddy Daida StackSimplify

 Terraform Configs – Project 3

Terraform Remote State Datasource to

access Project-1 and Project-2 Public IP SLB

Traffic Manager Project Generic Resources

(RG, locals, Input Variables, Random
Resources)

Azure Traffic Manager Resource

© Kalyan Reddy Daida StackSimplify

 Terraform
Remote State
Data source

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 16
© Kalyan Reddy Daida StackSimplify
 Real-World
Application VM
Gateway Demo 17 & 18 Scale Sets

Azure
Application Gateway
using
Azure Portal & Terraform
© Kalyan Reddy Daida StackSimplify
 Azure Application Gateway

© Kalyan Reddy Daida StackSimplify

 Azure
Application Gateway
Components

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway –
Create Azure Application
Gateway manually using Azure Portal
Resource
Group
AG – Backend Pools
Virtual Network
AG – Frontend IP Configs App
App Tier
Subnet NSG

AG – Listeners
DB Tier DB
Create AG using Subnet NSG
AG – HTTP Settings
Azure Portal

AG – Rules

AG Web Tier Web

AG – Health Probes NSG Subnet NSG
AG Subnet
Web VMSS
0
Port 8
Azure
LB Public IP Application
Gateway LB
Users

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway –
Create Azure Application
Gateway using Terraform using Terraform
Resource
Group
AG – Backend Pools
Virtual Network
AG – Frontend IP Configs App
App Tier
Subnet NSG

AG – Listeners
DB Tier DB
Subnet NSG
AG – HTTP Settings

AG – Rules

AG Web Tier Web

AG – Health Probes NSG Subnet NSG
AG Subnet
Web VMSS
0
Port 8
Azure
LB Public IP Application
Gateway LB
Users

© Kalyan Reddy Daida StackSimplify

 Azure Application
Gateway
Resource
SSH Client – Putty / Group
Terminal
Virtual Network

Bastion Host Bastion App Tier App

Port 22 Subnet NSG Subnet NSG
Bastion VM-1

DB Tier DB
Subnet NSG
Bastion Host NIC VM Disk
Linux VM Public IP
Port 22

AG Web Tier Web

AG Subnet NSG Subnet NSG
Port 80 Web VMSS

Azure
LB Public IP Application
Users
Gateway LB

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway -
Topology

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway + VMSS
- Topology

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs

Azure Virtual Network with Subnets and

Network Security Groups

Azure Virtual Machine Scalesets with

Autoscaling enabled

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs

Azure Bastion Linux VM – Disabled

Azure Bastion Service - Disabled

Azure Application Gateway

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 17 & 18
© Kalyan Reddy Daida StackSimplify
 Real-World
Application VM
Gateway Demo 19 Scale Sets

Azure
Application Gateway
Context Path Routing

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway – Context Path
based Routing
Resource
Group

Virtual Network
Web Tier Web
Subnet NSG

App1 VMSS
http://ag-public-ip/app1/
+
http://ag-public-ip/app2/ AG
NSG
http://ag-public-ip/ AG Subnet /app1/*

/app2/*
Azure
LB Public IP Application /*
Users App2 VMSS
Gateway LB
+

External Site
stacksimplify.com

© Kalyan Reddy Daida StackSimplify

 Azure
Application Gateway
Components

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway Context Path
Routing

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway Context Path
Routing

© Kalyan Reddy Daida StackSimplify

 Path Based
Routing

Root Context
External
Redirect

Context Path
based Routing

© Kalyan Reddy Daida StackSimplify

 Path based Routing Rule

© Kalyan Reddy Daida StackSimplify

 Path based Routing Rule

© Kalyan Reddy Daida StackSimplify

 Default Root Context - Redirection

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs
Azure Virtual Network with Subnets and
Network Security Groups

Azure Virtual Machine Scalesets with

Autoscaling enabled

Azure Bastion Linux VM – Disabled

Azure Bastion Service - Disabled

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs

Azure Application Gateway

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 19
© Kalyan Reddy Daida StackSimplify
 Real-World
Application VM
Gateway Demo 20 Scale Sets

Azure
Application Gateway
Multisite Hosting

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway – Multisite
Hosting
Resource
Group

Virtual Network
Web Tier Web
Subnet NSG

App1 VMSS
http://app1.terraformguru.com/index.html
http://app1.terraformguru.com/app1/index.html +
AG Subnet app1.terraformguru.com

Azure app2.terraformguru.com
LB Public IP Application
Users AG
NSG Gateway LB App2 VMSS
http://app2.terraformguru.com/index.html
http://app2.terraformguru.com/app2/index.html +

© Kalyan Reddy Daida StackSimplify

 Azure
Application Gateway
Components

© Kalyan Reddy Daida StackSimplify

 Azure
Application Gateway
Multisite
Hosting

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway -
Listeners

© Kalyan Reddy Daida StackSimplify

 Azure Application
Gateway Listeners

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway -
Listeners

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway - Routing
Rules

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway - Routing
Rules

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway - Routing
Rules

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway – Health
Probes

© Kalyan Reddy Daida StackSimplify

 VMSS Topology App1 and App2

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs
Azure Virtual Network with Subnets and
Network Security Groups

Azure Virtual Machine Scalesets with

Autoscaling enabled

Azure Bastion Linux VM – Disabled

Azure Bastion Service - Disabled

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs

Azure Application Gateway

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 20
© Kalyan Reddy Daida StackSimplify
 Real-World VM
Application
Gateway Demo 21 Scale Sets

Azure
Application Gateway
Self Signed SSL
Http to Https Redirect
Error Pages 502 and 403
© Kalyan Reddy Daida StackSimplify
 Azure Application Gateway – SSL Self-
signed
Resource
Group

Virtual Network
Web Tier Web
Subnet NSG

App1 VMSS

+
Azure
AG Subnet
http://terraformguru.com Application
https://terraformguru.com Gateway LB

Azure
HTTP AG Storage
To SSL
LB Public IP Error Account
Users HTTPs Certs
Pages
Redirect
AG
NSG 502.html 403.html

© Kalyan Reddy Daida StackSimplify

 Azure
Application Gateway
Components

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway – SSL

© Kalyan Reddy Daida StackSimplify

 VMSS Topology

© Kalyan Reddy Daida StackSimplify

 HTTPS Listener
Error Pages

© Kalyan Reddy Daida StackSimplify

 HTTP to HTTPS Redirect Routing Rule

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs
SSL Self-Signed Certificates

Azure Virtual Network with Subnets and

Network Security Groups

Azure Virtual Machine Scalesets with

Autoscaling enabled

Azure Bastion Linux VM – Disabled

Azure Bastion Service - Disabled

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs

Azure Application Gateway

Azure Storage Account for AG Error

Pages

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 21
© Kalyan Reddy Daida StackSimplify
 Real-World
Azure Key Vault
Application
Gateway
VM
Scale Sets
Demo 22

Azure
Application Gateway
Self Signed SSL
User Managed Azure Key Vault
Identity

© Kalyan Reddy Daida StackSimplify

 Azure Application Gateway – SSL from Key
Vault
Resource
Group

Virtual Network
Web Tier Web
Subnet NSG

Azure
AG Subnet
http://terraformguru.com Application App1 VMSS
https://terraformguru.com Gateway LB
+
HTTP AG
To SSL
Users
LB Public IP Error
HTTPs Certs
Pages
Redirect Azure
AG Storage
NSG Account

Access SSL Certificate from Key Vault

502.html 403.html
Azure Key User Assigned
Vault Managed Identity

© Kalyan Reddy Daida StackSimplify

 What is User-assigned Managed
Identity?

© Kalyan Reddy Daida StackSimplify

 Azure Application
Gateway
HTTPS Listener
SSL Certificate
associated from
Azure Key Vault

© Kalyan Reddy Daida StackSimplify

 Azure Key Vault – SSL Certificate
Import

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs
SSL Self-Signed Certificates

Azure Virtual Network with Subnets and

Network Security Groups

Azure Virtual Machine Scalesets with

Autoscaling enabled

Azure Bastion Linux VM – Disabled

Azure Bastion Service - Disabled

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs

Azure Application Gateway + User

Managed Identity

Azure Storage Account for AG Error

Pages

Azure Key Vault for SSL Certs

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 22
© Kalyan Reddy Daida StackSimplify
 Github Azure Azure
DevOps Starter
Real-World
Pipelines
Pipelines

Demo 23
Azure
IaC DevOps
Continuous Integration & Delivery
Pipelines
Azure Build & Release Pipelines
© Kalyan Reddy Daida StackSimplify
 Azure Pipelines – Key Concepts

Pipeline Stages Steps

Step-1: script: List Command: ls -R $

Trigger Stage-1: Build Agent (System.DefaultWorkingDirectory)
Job
Step-2: Task-2: Copy Files to Build Artifact
Stage-2: AA
Directory
Github
Agent
Stage-3: BB Step-3: script: List Command: ls -R $
Job (Build.ArtifactStagingDirectory)

Step-4: Task-3: Publish Artifacts to Azure

Stage-4: CC Job Pipelines

Developer

© Kalyan Reddy Daida StackSimplify

 Azure DevOps – Build Pipeline
Continuous Integration
Pipeline

Copy files (terraform-manifests folder) from

Task-1 System default working Directory to Build
Artifact Directory

Publish Build Artifacts to Azure Pipelines, so

Task-2
that we can use them in Release Pipelines

© Kalyan Reddy Daida StackSimplify

 Developer Github Azure DevOps – Release
1 2 Pipelines
Azure Cloud Azure DevOps
Release Pipelines
QA
Azure Pipelines 5

Stage-1: Publish Artifacts

3 9
Storage Account Dev Staging Prod
for State Files to Release Pipelines 7

4 6 10

8
Resource Group Resource Group Resource Group Resource Group

Virtual Network Virtual Network Virtual Network Virtual Network

Web Subnet Web Subnet Web Subnet Web Subnet
Dev VM QA VM Stage VM Prod VM
Web Web Web Web
NSG NSG NSG NSG
Public IP Public IP Public IP Public IP

© Kalyan Reddy Daida StackSimplify

 Azure IaC DevOps – Release Pipeline

© Kalyan Reddy Daida StackSimplify

 Azure
IaC DevOps
Release Pipelines

© Kalyan Reddy Daida StackSimplify

 Azure IaC DevOps Releases

© Kalyan Reddy Daida StackSimplify

 Azure IaC DevOps Releases

© Kalyan Reddy Daida StackSimplify

 Azure IaC
DevOps
Environment
TF State Files

© Kalyan Reddy Daida StackSimplify

 Virtual Network Subnets - 4
Environments

Dev QA

Prod
Stage

© Kalyan Reddy Daida StackSimplify

 4 Environments - Resources
Resource Groups Public IP Virtual Machines

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs

Azure Virtual Network with Subnets and Network

Security Group Resources

Azure Web Linux VM with Public IP and Network

Interface Resources

Environment specific tfvar files

terraform apply –auto-approve –var-file=dev.tfvars
terraform apply –auto-approve –var-file=qa.tfvars

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 23
© Kalyan Reddy Daida StackSimplify
 Github Azure Azure
DevOps Pipelines Starter
Pipelines

Real-World
Demo 23
Azure
IaC DevOps
Continuous Integration Pipelines
Build Pipelines
© Kalyan Reddy Daida StackSimplify
 Azure Pipelines – Key Concepts

Pipeline Stages Steps

Step-1: script: List Command: ls -R $

Trigger Stage-1: Build Agent (System.DefaultWorkingDirectory)
Job
Step-2: Task-2: Copy Files to Build Artifact
Stage-2: AA
Directory
Github
Agent
Stage-3: BB Step-3: script: List Command: ls -R $
Job (Build.ArtifactStagingDirectory)

Step-4: Task-3: Publish Artifacts to Azure

Stage-4: CC Job Pipelines

Developer

© Kalyan Reddy Daida StackSimplify

 Azure Pipelines – Key Concepts
Stages Stage-1 Jobs

Job-1 Steps Step-1: Script

Step-2: Task

Job-2 Steps Step-1: Task

Step-2: Task
Stage-2 Jobs

Job-1 Steps Step-1: Script

Step-2: Script

Job-2 Steps Step-1: Task

Step-2: Task

© Kalyan Reddy Daida StackSimplify

 Azure DevOps – Build Pipeline
Continuous Integration
Pipeline

Copy files (terraform-manifests folder) from

Task-1 System default working Directory to Build
Artifact Directory

Publish Build Artifacts to Azure Pipelines, so

Task-2
that we can use them in Release Pipelines

© Kalyan Reddy Daida StackSimplify

 Azure IaC DevOps – CI/Build Pipeline

© Kalyan Reddy Daida StackSimplify

 Azure IaC DevOps – CI/Build Pipeline

© Kalyan Reddy Daida StackSimplify

 Azure IaC DevOps – CI/Build Pipeline

© Kalyan Reddy Daida StackSimplify

 Azure DevOps
Parallelism
Request

Agent: 1800
Minutes Free

© Kalyan Reddy Daida StackSimplify

 Azure DevOps
Parallelism
Request

Usually, it takes 2 to 3
business days for
approval.
It got approved for me
in 24 hours.

© Kalyan Reddy Daida StackSimplify

 Github Azure Azure Azure
DevOps Pipelines Starter
Release
Pipelines
Pipelines

Real-World
Demo 23
Azure
IaC DevOps
Continuous Delivery Pipelines
Release Pipelines
© Kalyan Reddy Daida StackSimplify
 Azure DevOps – Release Pipelines
To achieve Continuous Delivery we use Release Pipelines

© Kalyan Reddy Daida StackSimplify

 Azure DevOps – Release Pipelines

© Kalyan Reddy Daida StackSimplify

 Developer Github Azure DevOps – Release
1 2 Pipelines
Azure Cloud Azure DevOps
Release Pipelines
QA
Azure Pipelines 5

Stage-1: Publish Artifacts

3 9
Storage Account Dev Staging Prod
for State Files to Release Pipelines 7

4 6 10

8
Resource Group Resource Group Resource Group Resource Group

Virtual Network Virtual Network Virtual Network Virtual Network

Web Subnet Web Subnet Web Subnet Web Subnet
Dev VM QA VM Stage VM Prod VM
Web Web Web Web
NSG NSG NSG NSG
Public IP Public IP Public IP Public IP

© Kalyan Reddy Daida StackSimplify

 Azure IaC DevOps – Release Pipeline

© Kalyan Reddy Daida StackSimplify

 Azure
IaC DevOps
Release Pipelines

© Kalyan Reddy Daida StackSimplify

 Azure IaC DevOps Releases

© Kalyan Reddy Daida StackSimplify

 Azure IaC
DevOps
Environment
TF State Files

© Kalyan Reddy Daida StackSimplify

 Virtual Network Subnets - 4
Environments

Dev QA

Prod
Stage

© Kalyan Reddy Daida StackSimplify

 4 Environments - Resources
Resource Groups Public IP Virtual Machines

© Kalyan Reddy Daida StackSimplify

 Application VM
Real-World MySQL Server

Demo 24
Gateway Scale Sets

Azure
MySQL Single Server

© Kalyan Reddy Daida StackSimplify

 Azure MySQL Deployment Options

Terraform Resource not

available as on today

© Kalyan Reddy Daida StackSimplify

 Azure MySQL Single Server
Azure Cloud

Resource
Group

Virtual Network
Web Tier
Subnet
App1 VMSS
VNET Service
+ Endpoint
Web
NSG
MySQL Virtual
Azure Network Rule
AG Subnet
Application
http://terraformguru.com Gateway LB
https://terraformguru.com

Azure
HTTP AG Storage
SSL Azure MySQL
LB Public IP
To Error Account Single Server
Users HTTPs Certs
Pages
Redirect
AG
NSG 502.html 403.html

© Kalyan Reddy Daida StackSimplify

 Azure MySQL
Single Server
with
Virtual Network Rules

© Kalyan Reddy Daida StackSimplify

 Azure Resources Terraform
Azure MySQL Single Server
Concepts
Input Variables – name.auto.tfvars
azurerm_mysql_server
Input Variables – -var-file=secrets.tfvars

azurerm_mysql_database
Input Variables Sensitive Flag = True

azurerm_mysql_firewall_rule

azurerm_mysql_virtual_network_rule

© Kalyan Reddy Daida StackSimplify

 User Management Web Application
Spring Boot User
Management
Web Application MySQL DB
(Java)

UMS Web App with Create User, List User, UMS Web App DB information can be passed via
Login and Logout Features Environment Variables (DB Name, Port User, Pass)

New users created will be stored in MySQL

UMS Web App Listens on Port 8080
DB

UMS Web App needs MySQL DB to store its We can login with new users created to UMS
users. If connection to DB fails, it cannot start Web App

© Kalyan Reddy Daida StackSimplify

 User Management Web Application Custom
Data

© Kalyan Reddy Daida StackSimplify

 UMS – Login Screen

© Kalyan Reddy Daida StackSimplify

 UMS – Landing Page Post Login

© Kalyan Reddy Daida StackSimplify

 UMS – List Users Screen

© Kalyan Reddy Daida StackSimplify

 UMS
Create Users Screen

© Kalyan Reddy Daida StackSimplify

 UMS
List Users after
Create User

© Kalyan Reddy Daida StackSimplify

 UMS
Login with
newly Created User

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs
SSL Self-Signed Certificates

Azure Virtual Network with Subnets and

Network Security Groups

Azure Virtual Machine Scalesets with

Autoscaling enabled

Azure Bastion Linux VM – Enabled

Azure Bastion Service - Disabled

© Kalyan Reddy Daida StackSimplify

 Terraform
Configs
Azure Application Gateway +
Storage Account for AG Error Pages

Azure MySQL Single Server

Terraform Input Variables

mysqldb.auto.tfvars

Terraform Input Variables

secrets.tfvars

© Kalyan Reddy Daida StackSimplify

 Time it
takes to
complete
this Demo

Real-World
Demo 24
© Kalyan Reddy Daida StackSimplify
 Terraform
Modules

© Kalyan Reddy Daida StackSimplify

 Terraform Modules
Modules are containers for multiple resources that are used together. A module consists
of a collection of .tf files kept together in a directory.
Modules are the main way to package and reuse A module that has been called by another module is
resource configurations with Terraform. often referred to as a child module.

Every Terraform configuration has at least one

module, known as its root module, which consists of
the resources defined in the .tf files in the main
working directory
Child modules can be called multiple times within the
same configuration, and multiple configurations can use
the same child module.

A Terraform module (usually the root module of a In addition to modules from the local filesystem,
configuration) can call other modules to include Terraform can load modules from a public or private
their resources into the configuration. registry.

This makes it possible to publish modules for others to

use, and to use modules that others have published.

© Kalyan Reddy Daida StackSimplify

 Terraform Registry – Use Publicly Available Modules

The Terraform Registry hosts a broad

collection of publicly available Terraform
modules for configuring many kinds of
common infrastructure.

Demo 1

These modules are free to use, and

Terraform can download them
automatically if you specify the appropriate
source and version in a module call block.

© Kalyan Reddy Daida StackSimplify

 Build manually and then automate using Terraform

1. Build a Static Website using Azure

manually using Azure Portal.
2. Automate it using Terraform Demo 2
Resources

© Kalyan Reddy Daida StackSimplify

 Build a Local Terraform Module

Demo 3

Build a Local Terraform Module and call

it from Root Module and Test

© Kalyan Reddy Daida StackSimplify

 Publish to Public Terraform Registry

Demo 4

Publish to Public Terraform Registry and

Access it from Public Registry and Test.

© Kalyan Reddy Daida StackSimplify

 Use various Module Sources

Demo 5

In addition to Terraform Public

and Private Registry use various
module sources.

© Kalyan Reddy Daida StackSimplify

 Private Module Registry in Terraform Cloud & Enterprise

Members of your organization might produce

modules specifically crafted for your own
infrastructure needs.

Terraform Cloud and Terraform Enterprise both

include a private module registry for sharing
modules internally within your organization.

Demo 6
© Kalyan Reddy Daida StackSimplify
 Practical Examples & Step-by-Step
Documentation on Github
2 Hour 10 Minutes

© Kalyan Reddy Daida StackSimplify

 ALL LIVE SLIDES ARE BEFORE THIS
SLIDE

© Kalyan Reddy Daida StackSimplify