Hi,
I use a variety of technologies to manage deployments in Azure. Azure's main deployment mechanism for larger scale deployments is ARM templates. These are JSON files containing the REST syntax for a resource with a few functions thrown in but they are very low level and difficult to debug. I use these primarily when working with resources where I have to deploy features that haven't made it to the CLI or other deployment mechanism, mainly for when I know preview features may be required. A prime example of this is when deploying Azure Kubernetes services as teams want the latest features. There are a lot of complexities you can throw into ARM templates such as linked deployments, but I like to keep these simple and create a glue between the ARM templates (see later).
There is a new technology being used called Azure Bicep which I haven't used but is supposed to be the next killer feature which will replace ARM templates.
There is an infrastructure specific deployment tool which is multi cloud called Terraform. I fell in love with this tool when I first started using it because it manages dependencies for you between resources and also can very quickly put a large scale infrastructure into a specific state. Terraform is a destructive tool and people need to understand how to interpret a Terraform plan before being let loose. AN example of this is if you want to change the size of a VM in Azure. That isn't something you can change on the fly, Terraform will let this happen though by deleting the old VM in place and creating a new one. Terraform also allows a full deprovision of the infrastructure it stands up which is something that is often missed.
Due to the above reason and the fact the pipelines I am creating are used by lots of teams who don't know what they are doing, I couldn't continue using Terraform. I typically now use a mix of ARM templates and Azure CLI, and glue everything together using Ansible. Ansible will during a play provide the necessary logic to allow us to stand up the correct resources in specific circumstances. Our workflow when we write roles to stand up resources in Ansible is:
- What Azure resources are required for the specific use case?
- What other resources will this new role impact?
- What state do we need to store, how do we ensure that gets preserved if required?
- How can we cleanly deprovision the resources stood up by this role.
That is a bit simplistic but you get the picture. I have to say we still create support requests via the GUI but I do use the CLI now to get everything else. I can't remember when I last logged into the GUI actually, probably a couple of weeks back when I needed to get a secret from a Keyvault and wanted it just copied to the clipboard without any messing. I could have potentially done that with the CLI but couldn't remember the full secret name and also needed to paste the secret in an RDP session so it suited my use case at the time.
Interestingly enough for Azure Devops although I write pipelines using YAML templates I still use the GUI to interrogate the running of the pipelines and to capture any errors. It can be frustrating at times and I know there is preview support for the CLI now but I haven't adapted my workflow to run with that at the moment and its not high on the priority list.
Andrew.
-----Original Message-----
From: Darragh Ó Héiligh