Deploying Private AKS using Bicep, because ARM is not strong enough :๐Ÿฆพ!!!

7 minute read

"Buy Me A Coffee"

Project Bicep is taking ARM to the next level and it is making lots of good noise in the IaC world. I have been using terraform for a while so I decided to check it out and see how it compares to HCL language to deploy IaC in Azure Platform and also to see how easy it is to author these kind of templates. :astonished: Given that now Bicep support the creation of modules it makes it even more appealing, still early stages but looking forward to feature parity to terraform

Environment preparation for Bicep

What do I need to get started?

  1. I am using WSL2 on Win10 for my environment so I have updated my Azure CLI version to the latest, as it is required to be on v2.20 or later. Then I installed Bicep compiler running the command az bicep install.
  2. I installed the Bicep extension which definitely makes life so much easier as the intellisense is great and it makes authoring quite enjoyable
  3. I did rely on the Azure ARM Template documentation in order to check the values to use in the Bicep template regarding resource types similar to the Azure RM provider documentation in terraform. I had a few challenges here as Terraform API calls may use different variable names to interact with the Azure APIโ€™s.

AKS the terraform way

My terraform deployment uses modules stored in my Private Terraform Cloud Module repository. In that case, the structure of the deployment files looks as per below. The module structure in terraform is per below the right hand side. For instance, my deployment AKS Deployment will call all the approved modules to be consumed and deploy the whole solution.

AKS Deployment
        |_main.tf
        |    |_ AKS Module
        |    |   |_ main.tf
        |    |   |_ variables.tf
        |    |   |_ outputs.tf
        |    |
        |    |_ VNet Module
        |    |   |_ main.tf
        |    |   |_ variables.tf
        |    |   |_ outputs.tf
        |    |
        |    |_ Subnet Module
        |    |   |_ main.tf
        |    |   |_ variables.tf
        |    |   |_ outputs.tf
        |    |
        |    |_ Route Table Module
        |        |_ main.tf
        |        |_ variables.tf
        |        |_ outputs.tf
        |
        |_variables.tf
        |_outputs.tf
        |_providers.tf

The main.tf file of the AKS module looks like below with all the values to be provided by populating the variables. ๐Ÿ‘‡

resource "azurerm_kubernetes_cluster" "test" {

  name                      = var.name
  resource_group_name       = var.resource_group.name
  location                  = var.resource_group.location
  dns_prefix                = var.dns_prefix
  kubernetes_version        = var.kubernetes_version
  private_cluster_enabled   = true

  default_node_pool {
    name                 = "default"
    orchestrator_version = var.kubernetes_version
    node_count           = var.node_count
    vm_size              = var.node_size
    os_disk_size_gb      = var.os_disk_size_gb
    vnet_subnet_id       = var.node_vnet_subnet_id
    max_pods             = var.max_pods
    enable_auto_scaling  = true
    min_count            = var.auto_scaling_min_count
    max_count            = var.auto_scaling_max_count
    availability_zones   = var.availability_zones
  }

  addon_profile {

    azure_policy {
      enabled = false
    }
  }

  role_based_access_control {
    enabled = true

    azure_active_directory {
      managed = true

      admin_group_object_ids = var.aad_group_id
    }
  }

identity {
    type = "SystemAssigned"
  }

  network_profile {
    network_plugin     = "azure"
    network_policy     = var.network_policy
    load_balancer_sku  = "standard"
    outbound_type      = "userDefinedRouting"
    service_cidr       = "192.168.254.0/24"
    dns_service_ip     = "192.168.254.10"
    docker_bridge_cidr = "172.22.0.1/16"
  }
}

The deployment uses the provider.tf for the authentication to the Azure Platform for the deployment of the resources as such with a block similar to the one below when using terraform open source or you will have a service principal already assigned in TFC/TFE on the workspace for the deployment. Please refer to Terraform Configuration

AKS the Bicep way ๐Ÿฆพ

Azure Bicep did not disappoint and by using, the VSCode extension intellisense I was able to write the module in a few minutes in a similar fashion to my Terraform Module, still not as robust as terraform but I guess it is early stages for Bicep. The file structure is quite similar except here at this stage I cannot have my variables/parameters and outputs on separate files. In addition, I do not need the provider file, as this is ARM after all so the context used (user/SPN/identity) will be used for the deployment.

AKS Deployment
        |_main.bicep
            |_ AKS Module
            |   |_ aks.bicep
            |
            |_ Network Module
            |   |_ vnet.bicep
            |
            |_ Route Table Module
                |_ routetable.bicep

The aks.bicep file of the AKS module looks like below with all the values to be provided by populating the variables. ๐Ÿ‘‡

param location string = resourceGroup().location
param AKSName string
param subnet_id string 
param group_id string
param dns_prefix string
param kubernetes_version string
param node_count int
param auto_scaling_min_count int
param auto_scaling_max_count int
param max_pods int
param os_disk_size_gb int
param node_size string

resource aks 'Microsoft.ContainerService/[email protected]' = {
  name: AKSName
  location: location
  properties: {
    kubernetesVersion: kubernetes_version 
    enableRBAC: true
    dnsPrefix: dns_prefix
    aadProfile: {
      managed: true
      adminGroupObjectIDs: [
        group_id
      ]
    }
    networkProfile: {
      networkPlugin: 'azure'
      networkPolicy: 'azure'
      serviceCidr: '192.168.254.0/24'
      dnsServiceIP: '192.168.254.10'
      dockerBridgeCidr: '172.22.0.1/16'
      outboundType: 'userDefinedRouting'
    }
    apiServerAccessProfile: {
      enablePrivateCluster: true
    }
    addonProfiles: {
      azurepolicy: {
        enabled: false
      }
      httpApplicationRouting: {
        enabled: false
      }
    }
    agentPoolProfiles: [
      {
        name: 'agentpool'
        mode:'System'
        osDiskSizeGB: os_disk_size_gb
        count: node_count
        vmSize: node_size
        osType: 'Linux'
        type: 'VirtualMachineScaleSets'
        maxPods: max_pods
        vnetSubnetID: subnet_id
        enableAutoScaling: true
        minCount: auto_scaling_min_count
        maxCount: auto_scaling_max_count
        orchestratorVersion: kubernetes_version
        availabilityZones: [
          '1'
          '2'
          '3'
        ]
      }
    ]
  }
  identity: {
    type: 'SystemAssigned'
  }
}

output object object = aks
output aks_id string = aks.properties.privateFQDN
output aks_identity object = aks.properties.identityProfile

Definitely much nicer and easier to digest than an ARM in JSON format and quite similar to the terraform language layout at the end of the day same API calls ๐Ÿ’ช.

Module Structure using Bicep

Modules are called using the following syntax quite similar to terraform module blocks and supports depends on which was something introduced in terraform world from v13. However, versioning is not supported at this time as well as <module_path> itโ€™s only local not providing enough flexibility and governance around module creation for reusability.

module <name> '<module_path>' {
  name: <required name of the nested deployment>
  scope: <rg/subscription>
  // Input Parameters
  <parameter-name>: <parameter-value>
  dependsOn:[
    <module/resource>
  ]
}

Solution Deployment Bicep Way

In order to deploy the whole solution. I setup a main.bicep which makes the calls to the modules for the deployment based on variables and parameters required for each of them. The file will look like below. Given I am deploying the Resource Group to logically group my resources my deployment requires to be scoped to my subscription

targetScope = 'subscription'

param location string = 'australia east'

var RgName          = 'aks-rg-test'
var AKSName         = 'aks-development'
var AKSvNetName     = 'aks-vnet'
var AKSsubnetName   = 'aks-subnet'
var AKSsubnetPrefix = '10.0.3.0/25'

//Resource group
resource rg 'Microsoft.Resources/[email protected]' = {
  name: RgName
  location: location
}

module vnet './vnet.bicep' = {
  name: AKSvNetName
  scope: resourceGroup(rg.name)
  params: {
    location: location
    vNetName: AKSvNetName
    address_space: '10.0.3.0/24'
    SubnetName: AKSsubnetName
    subnetPrefix: AKSsubnetPrefix
  }
  dependsOn: [
    rg
  ]
}

module aks './aks.bicep' = {
  name: AKSName
  scope: resourceGroup(rg.name)
  params: {
    location: location
    subnet_id: vnet.outputs.subnetid
    group_id: 'bad1b814-cb6e-4027-afd2-ee0d27aef0e1'
    AKSName: 'aks-dev'
    dns_prefix: 'dev'
    kubernetes_version: '1.18.14'
    node_count: 1
    auto_scaling_min_count: 1
    auto_scaling_max_count: 3
    max_pods: 50
    os_disk_size_gb: 64
    node_size: 'Standard_D2_v3'
  }
  dependsOn: [
    vnet
  ]
}

output vnetid string    = vnet.outputs.vnet_id
output aksid string     = aks.outputs.aks_id
output aks_iden object  = aks.outputs.aks_identity

For the deployment I used Azure CLI and the deployment was just by running the below command. Where c short name for --confirm-with-what-if gives me a sense of a dry run similar to our terraform plan. We can get a JSON representation of a terraform plan like but I guess it will be a bit harder to inspect.

az deployment sub create -c --name aksbicep --template-file main.bicep --location 'australiaeast'

You can also have JSON representation for the changes by using the command below and you can potentially pipe the results so you can programmatically inspect those changes

az deployment sub what-if --no-pretty-print --name aksbicep --template-file deployment.bicep --location 'australiaeast'

image-center

Important I run this exercise using my account context with currently has a contributor role assignment. In enterprise scenarios, you will have a more comprehensive RBAC controls and potentially using CI/CD tools that will run under Service Principals or Manage Identities.

Summary

I really found Bicep so much better to deal with than ARM templates so if you are on an environment using ARM templates for all your deployments, Bicep will be a really good option to explore and the best of all is that you can get the latest released features so you will not have to wait for a release to start enjoying those new features. Still Bicep needs to mature a bit more to offer more flexibility but you can start getting the benefits already. Modules is something I hope it gets enhanced as this will definitely increase code reusability and will increase authoring time as you will remove copy/paste for different solution deployments

On the other hand If you are already using terraform you will be already enjoying a more mature product that is cloud agnostic in regards to its language. I will assume Bicep team will be making good efforts and make those awesome capabilities from Terraform available in Bicep. Project Bicep still will be native to Azure so it will not be a language you can use on other clouds.

If you are keen I found some motivation on the below great videos.๐Ÿ‘‡

I hope it was informative, hasta la vista and keep working out those ๐Ÿฆพ!!!

Code Download

The code I created for this demo is available in my blog repository Github.

๐Ÿšดโ€โ™‚๏ธ If you enjoyed this blog, you can empower me with some caffeine to continue working in new content ๐Ÿšดโ€โ™‚๏ธ.

"Buy Me A Coffee"

Comments