I'm curious about how you all orchestrate your Infrastructure as Code, especially using tools like Terraform or Bicep. Do you integrate standard development practices like CI/CD pipelines, or do you find that setups often end up being a one-off with occasional redeploys due to configuration drift?
6 Answers
I prefer Terraform with Azure, storing the state in a storage account. It's key to maintain strict governance. Depending on the team's culture, you might choose to keep infrastructure hidden from devs completely, or provide a limited abstraction using modules. CI/CD is mandatory, while I've found Bicep to be a way for Microsoft to transition from ARM templates. Personally, I've been leaning back toward Azure CLI and PowerShell due to simplicity and governance needs, especially with the current job market challenges.
I use Azure DevOps with service principals to connect to different environments, along with multiple CI/CD pipelines that require approvals. State is managed in blob storage, and I check for drift daily. It's crucial to ensure no changes are made directly in the portal—everyone should follow the process. Removing access for individual roles with approval mechanisms helps maintain order, especially for Terraform pipelines. A one-off approach is just not effective in the long run.
That sounds like a solid approach! I’m aiming for something similar but need to address internal skill challenges before I can fully implement it.
How do you manage the networking aspect with private endpoints in your deployments? Do your service principals have the necessary access for that?
I find Terraform much easier for the long-term, even if the initial learning curve is steeper. Its `terraform plan` command is invaluable. I trust it implicitly compared to Bicep's `what-if`, which can be inconsistent. For drift detection, running `terraform plan` on a schedule in CI pipelines is a game-changer and can even trigger alerts if changes are found. I really believe in giving devs the freedom to manage their infrastructure while ensuring they have the right templates to standardize processes.
Each team has its own subscription and a dedicated deployment service principal. We enforce access through PIM, and everything gets built and deployed via pipelines in Azure DevOps with necessary approvals. All code, whether Terraform or Pulumi, goes into individual blob storage for state management, allowing teams to own their deployments.
It really comes down to team skills and project complexity. I've worked with both pure ARM and Terraform. I find Bicep kind of unnecessary, even though I always stick to CI/CD pipelines for deployments.
Bicep is just a lesser version of ARM, so I get the hesitation.
We're committed to using Bicep for all our infrastructure. We treat it like a typical software development lifecycle, complete with policies and deployments via YAML pipelines. It covers everything from Azure Front Door with WAF to private endpoints. Even with some criticisms, it works perfectly for us, and new users in my organization love it, especially those transitioning from Terraform.
How do you manage state and configuration drift with Bicep? That’s been a challenge for us.
I wouldn't say Bicep is a rip-off. I've used both, and though they have pros and cons, I find Bicep offers some cool features that can simplify things.