Get list of field values from Terraform map

If you have map or object variable or local in Terraform:

locals {
    users_object_ids = {
      "user1": { object_id: "d6c7ce3e-9f1d-4310-8862-8ab64e872246" },
      "user2": { object_id: "035c4713-14c0-43c3-a8b0-d4f21bc8ffca" },
    }
}

And you need to obtain list with object ids:

["d6c7ce3e-9f1d-4310-8862-8ab64e872246", "035c4713-14c0-43c3-a8b0-d4f21bc8ffca"]

You can use Terraform function values() (run terraform console to test it):

> values(local.users_object_ids)

[
  {
    "object_id" = "d6c7ce3e-9f1d-4310-8862-8ab64e872246"
  },
  {
    "object_id" = "035c4713-14c0-43c3-a8b0-d4f21bc8ffca"
  },
]

> values(local.users_object_ids)[*].object_id

[
  "d6c7ce3e-9f1d-4310-8862-8ab64e872246",
  "035c4713-14c0-43c3-a8b0-d4f21bc8ffca",
]

GitHub Gist:

Share common information between Terraform configurations

Suppose you have 2 or more applications which are sharing the same environment (datacenter, zone, subscription, network etc.) and you need to reflect environment changes in applications’ Terraform configuration files.

HasiCorp is not rushing to implement include functionality in Terraform but they propose to use Data-Only modules pattern.

You can create a shared module shared_constants which could look like this:

#
# Some Data sources
#

data "azurerm_subnet" "example" {
  name                 = "sn-backend"
  virtual_network_name = "vnet-production"
  resource_group_name  = "rg-networking"
}

#
# Some known constants
#

locals {
   firewall_public_ip = "205.10.107.10/32"
}

#
# Outputs
#

output "backend_subnet_id" {
    description = "Azure Subnet ID"
    value       = data.azurerm_subnet.example.id 
}

output "firewall_public_ip" {
    description = "Firewall Public IP"
    value       = local.firewall_public_ip 
}

In this case, application 1 and application 2 configuration files should look like this:

module "const" {
    source  = "../shared_constants"
}

resource "azurerm_network_interface" "example" {
  ...

  ip_configuration {
    ...
    subnet_id                     = module.const.backend_subnet_id
    ...
  }
}

The solution can be more powerful if variables are added to constants module, i.e.:

variable "scope" {
    description  = "Constants scope"
    type         = string 
}

locals {
   scopes = {
       "production" = {
          firewall_public_ip = "205.10.107.10/32"
       }
       "development" = {
          firewall_public_ip = "205.20.107.10/32"
       }
   }
}

output "firewall_public_ip" {
    description = "Firewall Public IP"
    value       = local.scopes[var.scope].firewall_public_ip 
}

Application configuration file:

module "const" {
    source  = "../shared_constants"
    scope   = "production"
}

resource "..." "..." {
  ...

  ... = module.const.firewall_public_ip
  ...
}

This solution can be used as in the case, when all configuration is saved in the same place as well for the cases when everything is split over different repositories.

Azure App Services – Overview

Link to Azure App Services Sketchnote

Azure App Services provide PaaS for a different kind of applications:

  • Web Apps which serve HTML pages and other web content from applications based on ASP.NET, Node.JS, PHP, Ruby, Python, Java, or static websites
  • API Apps which serve REST APIs
  • Mobile Apps which serve REST APIs, access to data over OData protocol, requires Push Notification and additional mobile users Authentication capabilities
  • Function Apps help to host event-based application in serverless manner
  • Custom Containerized Apps run single Docker container from configured registries or complex multi-container applications configured with Docker Compose

Azure requires to configure App Service Plan to reserve a dedicated compute resources for our applications.

App Service Plan defines:

  • Location (Azure Region) for our application
  • OS (Linux, Windows)
  • Vertical scaling
  • Horizontal scaling
  • Networking configuration

Vertical scaling options are defined with Pricing tiers which grouped to Free, Shared, Basic, Standard, Premium, Isolated classes. Each tier has Azure Compute Units number which indicates performance objective, own set of capabilities and limits. Free and Shared tiers share compute resources with other Azure clients, so their use is not recommended for production environments.

App Service Plan runs applications in set of VMs hidden in the background from engineer. At least 1 VM instance is always up, if App Service Plan is provisioned. It means that it consumes budget even if there is no applications deployed.

Service provides possibility to configure horizontal autoscaling which adds or removes instances based on performance metrics.

Engineer needs to take in consideration that there are 2 separate interfaces for Inbound and Outbound network traffic. IP which is used for entering application is not the same which is used for exiting.

By default, outbound IP address is dynamic. To set it to static different technics could be applied:

  • VNet Integration: Associate Azure Virtual Network Subnet with App Service Plan and limits the variation of IP addresses to subnet IP range. In this case, additionally, App Services traffic can be routed to Azure Firewall or NAT Gateway.
  • Hybrid Connections capability makes possible to pass all outbound traffic over Azure Relay Agent. This case requires configuration and maintenance of at least 1 Windows VM or server. Advantage of this approach not only in determinization of application outbound IP but possibility to provide access to private networks with highly restrictive firewall rules. Agent uses a pull connection method and can establish a connection even over HTTP proxy.

IP addresses filters for Inbound connections can be done with Access Restrictions. If only private usage is required, Private Endpoint can be configured to get a private IP for application.

Inbound connection can be protected with Azure Frontdoor or Azure Application Gateway.

Azure Traffic Manager can be used for multi-region sophisticated load balancing.

Each application has:

  • Application code or binaries
  • Application settings with secrets which could be referenced to Azure KeyVault secrets
  • Deployment slots to facilitate blue/green deployment model. Each deployment slot can be associated to its code/application binaries source (Git pull, Git push, ZIP/WAR archives, FTPS, or cloud sync, ex. OneDrive)
  • Backup & Restore capabilities including backup of application database.
  • Monitoring with Azure Monitor
  • Quotas to restrict user access based on performance metrics
  • Authentication integration capabilities
  • SSL certificate & custom domain
  • Managed Identity to provide secure passwordless access to Databases, Key Vault and other Azure services under deployed the same tenant

App Services could be integrated with additional Azure services like:

  • Azure CDN to speedup content delivery to end-user
  • Azure Storage Accounts for logs export or for permanent Docker container storage
  • Azure Application Insights to monitor and debug application state
  • Azure API Management to aggregate and provide API offers

IT Platforms – Reasoning

This post opens discussions about IT platforms and starts a series of articles about platform establishment and implementation challenges.

I will define an IT platform as all underlying resources needed to make an application work correctly.

Today, many non-IT companies do not have a holistic approach to IT management and do not understand its IT platform’s importance. Each department often creates its own IT with a mix of internal and outsourcing teams. The absence of communication and experience sharing between siloed IT teams makes everything worse. In a rare situation when somebody tries to define standards for organizations as architecture principles, patterns, or building blocks, usually all work stops at naming conventions definition.

Organizations are hiring DevOps engineers when DevOps is a culture. DevOps requires transformation from the organization. Transformation does not happen, and DevOps engineers become system administrators with Infrastructure as a Code and CI/CD pipelines configuration skills.

It is not evident how IT platforms contribute to business value

It is easy to define a value for an end-user. I can define it as a correct response of application:

  • when our user applies a formula to Excel cell, and it provides us a correct answer
  • when a client clicks on Buy button and found all ordered products in his or her post box with the correct amount for each item
  • when we send a message to our friends and getting responses without broken encoding, no matter language we are using

In IT, we are using a lot of terms from the Real Estate industry. The principal value of a house is living space. But what about the house’s basement and surroundings? Imagine an application as a building in the “IT platform” city and its features as habitants. What an habitant need to produce a maximum value and work correctly?

The modern application depends on its architecture, requires many dependencies: Security Libraries, Operation System, Network, Servers, etc.

IT platform needs to provide basements capable of handling specific architecture applications with particular requirements, preventing and protecting an application from failing. When a mobile home does not require too much, a large trade center needs a more serious approach.

IT platform is also an ecosystem. Without public services, communications, and roads around, buildings with many square meters are not too valuable for habitants. If nobody can access your application and not integrate with other services, there are no many useful features to provide.

When there is more than one building, some organization is required. If no governance is applied, the company’s application portfolio will become a city where everybody builds their houses where they want in their manner. The value of Real Estate in this kind of location will decrease.

So, implementation of only application requirements is not enough.

The only problem with this metaphor that mess in the physical world is visible while virtual infrastructure is imaginable only by experts. With ambitious profit goals, managers often prefer to create new applications, new features, and visual design and place them in cheaper possible places. 

It is possible to create a WordPress site with a few freelancing hours and put it on a hosting platform for 5 EUR/month or hire an Azure expert and visually have the same WordPress website on VM for 50 EUR/month. If you do not have clear principles and criteria, there is no justification for the cloud solution, but the cheap option could be wrong.

It is not enough to create an application, we need to maintain it

If we were very passionate about building new houses, without a strategy for evolving an ecosystem around, someday we build a new house, connect it to communications, and shutdowns water in some random places.

Someday, we acknowledge that the half of houses in the city is without electricity, but not from electricity station, but citizens. We do not have any alternative power supply.

Abandoned houses are somewhere in our city.

Without plan B and maintenance, things are failing and degrading. Look to pictures from Pripyat in Chernobyl – this is not caused by nuclear station accident; this is a city without maintenance. This challenge becomes more critical in our Cloud Age; what will happen with an application when supported OS images will disappear from cloud provider support?

The business role for the IT platform here is in optimizing operational costs. If we have cared about the monitoring system, we know the place with an issue, and we do not need to take out of the ground the whole water pipeline. Do we have systems for automatic disaster recovery and self-healing procedures launch?

IT platform-level components are complex things to change. Rebuilding or rewiring houses to put the road and communications between them can be costly. We need to include the platform evolving in design with new applications and features.

Any application needs an IT platform behind and around it

If there are many problems, why not take a SaaS application and be happy?

It could be true if a company uses only one SaaS-like service. When there are more services, we will think about corporate user identities and integrations between those applications to work on a standard set of data. It requires a side transversal ecosystem to manage, so IT platform. To continue with our metaphor, multiple cities and countries also need connections.

In large corporations, we cannot avoid a mix of application types:

  • Legacy applications: old applications with proprietary protocols, without the capability for deployment and configuration automation
  • Custom applications: applications developed inside an organization or by outsourcing developers team
  • Vendor software: ready to use applications, but needed the installation and configuration aligned with the company’s needs
  • SaaS applications: managed application by the third party but still, we have to pay attention to Shared Responsibility Models and agreements with SaaS provider

The IT platform’s role here is to absorb the knowledge about application requirements, architecture patterns and regulate manageable standard application types. IT team can provide alignment tools and methods.

IT platform also must provide tools to deploy and configure applications supported by IT.

IT platform can accelerate value creation

IT platform provides standard architecture patterns and implements a set of services. Everything as a code approach is the best way to represent standards and architecture patterns. Additionally, we can provide developer tools with microframeworks and API. A good toolset and knowledge base liberates creators from inventing everything from zero and focuses them on valuable features producing.

Standard patterns also help define service level for the entire application and not just for the platform’s service.

IT platform can provide:

  • Identity Services
  • Security Services
  • Monitoring Services
  • File Storage Services
  • Database Services
  • CI/CD Services
  • Business Continuity & Disaster Recovery Services
  • Virtual Desktop Services
  • Images Building & Registry Services
  • API Management Services
  • Integration Services
  • Workstation Management Services

IT platform abstracts for an application:

  • Physical Datacenter
  • Physical Network
  • Physical Storage
  • Physical Servers
  • Hypervisor
  • Software Defined Network
  • Virtual Storage
  • Virtual Machines (IaaS level, if we use cloud providers in our IT platform architecture)
  • Operation System
  • Servers Clusters
  • Middleware (PaaS level)

Unfortunately, Cloud providers do not solve all problems related to the company’s proper IT platform establishment. We still need to develop our policies, naming conventions, IaaS/PaaS/SaaS service configurations, and integrations.

Automatization is unavoidable for scaling

It is the Industrial revolution age in system administration. No more manual work. Repeatable and time consuming operations must be done automatically in the IT platform.

When you have thousands of applications and their instances on the platform, nobody can manage it manually.

Human Resources which can help with this task:

  • Site Reliability Engineer
  • DevOps Engineer
  • IT Architect
  • System Administrator
  • Network Administrator
  • Datacenter Engineer

As a conclusion

Often when business is growing, and applications load is increasing, we needed our platform yesterday. 

Enterprise IT requires a holistic and strategic approach. A specific project stream for the company-level IT platform can be a core concept for bringing everything together.

A balance of investments to the IT platform development is not an easy task to achieve, but we have to track problems and risks from different viewpoints. 

Here some ideas of measurements for work prioritization:

  • Application errors statistics, especially errors related to platform and human factors issues
  • IT Service delivery time
  • Loses due to security breaches
  • New application features delivery time
  • Count of project blockers related to infrastructure delivery

There is much more work related to IT platforms todo:

  • Platforms and applications energy efficiency and ecological impact control
  • Increasing load with new technologies related to 5G, IoT, Virtual Worlds, and Augmented Reality
  • Challenges related to new and alternative compute and storage technologies (synthetic DNA, quantum computing)

Leave me a comment. What about your experiences and expectations from IT platforms?