This directory provides terraform configurations to provison load balanced linux virtual machines on Microsoft Azure cloud platform. Further these machines can be any assigned any role. For this repository context they are configurred as Nginx Webservers hosting static web application using Ansible.
In order to re-use the configurations please check the below tool matrix:
Name | Version Used | Help | Required |
---|---|---|---|
Terraform | >= 1.1.0 |
Install Terraform | Yes |
Make | 3.81 |
Download Make | Yes |
azure-cli | 2.50.0 |
Install azure CLI | Yes |
homebrew | 4.1.3 |
Homebrew Installation | No |
Azure Account | N/A |
Create Azure account | yes |
If you have homebrew
installed , all tools can be installed with command brew install <Name>
, except Azure Account 😁
- This Guide is created for someone to replicate the infrastructre provisioning from their local machine standpoint.
For replicating on github, kindly adjust the secrets and variables mentioned in the .github/workflows and update ssh keys in ssh_keys.
- In order to follow this guide , it is assumed that this repostory is either cloned or forked and the same folder structure is available on the end user machine. Entire guide context is from the
terraform/linux-webserver-with-loadbalancer
directory.
Command Reference:
git clone https://github.com/ishuar/terraform-ansible.git
cd terraform-ansible/terraform/linux-webserver-with-loadbalancer/
Here, we will utilise Makefile commands for an easy installation/provisioning.
INFO: Use
make help
command to know its usage.
Its a best practice to use remote backends for terraform, in this guide we are using specifically azurerm remote backend. Kindly refer to Example Configuration for more details on its configuration.
We can use any appropriate method to authenticate to azure resource manager, in this guide we will utilise the az login
- Run
az login
command
If the CLI can open your default browser, it initiates authorization code flow and open the default browser to load an Azure sign-in page. Otherwise, it initiates the device code flow and tell you to open a browser page at https://aka.ms/devicelogin and enter the code displayed in your terminal. If no web browser is available or the web browser fails to open, you may force device code flow with az login --use-device-code.
- Sign in with your account credentials in the browser.
INFO: Contributor rights would be preferred with the account signed in, defining IAM is out of scope for this project.
Use below command to create Resource Group
, Storage Account
, and Container
make create-backend
In the backend it is using the set-up-terraform-remote-state.sh shell script.
IMPORTANT:
⚠️ Please set atleastSTORAGE_ACCOUNT_NAME
environment variable to over-ride the default name used in script, as the storage account names are globally unique OR use below command.
## If you want to set env var and create backend at the same time.
STORAGE_ACCOUNT_NAME=<globaly_unique_storage_account_name> make create-backend
In the providers.tf adjust the below parameters
terraform {
backend "azurerm" {
resource_group_name = "rg-ansible-terraform" ## Optional, if over-ride by env var in step Create infrastructure required for remote backend
storage_account_name = "STORAGE_ACCOUNT_NAME" ## Required, set STORAGE_ACCOUNT_NAME as env var.
container_name = "tfstate" ## Optional, if over-ride by env var in step Create infrastructure required for remote backend
key = "ansible-terraform" ## Optional, if over-ride by env var in step Create infrastructure required for remote backend
}
}
Once the backend configuration is set up, we can start with terraform actions. Plan is generally optional in local workflows however a good practice for dry-run configurations.
- Use below commands to generate the terraform plan.
make init
make plan
INFO: Use
make help
command to know its usage.
Once we are satisfied with the plan, configurations can be applied to provison the infrastructure.
- Use below command to apply the configuration.
make apply
IMPORTANT By Default a new SSH Key pair is generated and private key is saved in
ssh_keys
directory. This is not recommended in production for security reasons and SSH key should be generated out of terraform scope andlocal_public_key
local variable should be updated with the correct path to SSH key.
After terraform apply the loadbalancer fqdn should be printed as loadbalancer_frontend_fqdn
output, however there is a make command available to print it afterwards too.
Use any of the below command to get loadbalancer fully qualified domain name
make lb-fqdn
### OR ###
make lb-url
Once you are done with your testing or want to de-provision the infrastructure. The whole azure infrastrucutre can be deleted with the below command
make destroy
Name | Version |
---|---|
terraform | >= 1.1.0 |
azurerm | ~> 3.50 |
Name | Version |
---|---|
azurerm | 3.67.0 |
http | 3.4.0 |
Name | Source | Version |
---|---|---|
ssh_key_generator | github.com/ishuar/terraform-sshkey-generator | v1.1.0 |
Name | Type |
---|---|
azurerm_lb.web_lb | resource |
azurerm_lb_backend_address_pool.nginx_webservers | resource |
azurerm_lb_probe.web_lb_probe | resource |
azurerm_lb_rule.web_lb_rule_app1 | resource |
azurerm_linux_virtual_machine.slaves | resource |
azurerm_network_interface.public | resource |
azurerm_network_interface_backend_address_pool_association.web_nic_lb_associate | resource |
azurerm_network_interface_security_group_association.webserver | resource |
azurerm_network_security_group.webserver | resource |
azurerm_network_security_rule.azurecloud | resource |
azurerm_network_security_rule.everyone_to_webservers | resource |
azurerm_network_security_rule.ssh | resource |
azurerm_public_ip.loadbalancer | resource |
azurerm_public_ip.pip | resource |
azurerm_resource_group.main | resource |
azurerm_subnet.webservers | resource |
azurerm_virtual_network.main | resource |
http_http.self_ip | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
ENABLE_LOCAL_DEVELOPMENT | (optional) Whether to enable Flag for local development or working from the hostmachine directly or not. Default is true | bool |
true |
no |
create_ssh_key_via_terraform | (optional) Whether to enable ssh key generation via terraform or not. Defaults to true | bool |
true |
no |
prefix | (optional) Prefix used for naming resources | string |
"ansible-vm" |
no |
private_key_filename | (optional) SSH private key filename create by terraform will be stored on your local machine in ssh_keys directory. | string |
"ssh_keys/terraform-generated-private-key" |
no |
Name | Description |
---|---|
loadbalancer_frontend_fqdn | Fully qualified domain name for loadbalancer front end to reach backend webservers |
nsg_name | Network Security group name |
resource_group | Resource group where all resources are deployed |
webservers_snet_address_prefix | Webservers Subnet Address prefix |
MIT License. See LICENSE for full details.