CA policies via Terraform
Posted by Formal-Run-8099@reddit | sysadmin | View on Reddit | 9 comments
Apologies if this isn’t the correct sub and thanks for pointing me to the right one if that’s the case.
As the title, employer is pushing/forcing CA policies be deployed via Terraform instead of our current click-ops.
Typical volume is circ. 5-10 new policies planned in the next few months to 1 year.
Learning the language would no doubt be great for my development and future, but to me, it seems overkill pushing CA behind terraform over the existing method.
Any thoughts, good or bad?
Thanks
jamesaepp@reddit
Learning how to automate simple projects is how you learn to automate big projects. Always worth IMO.
ForTenFiveFive@reddit
I think it's a good idea. Your CA policy changes and responsible users will all be recorded in GIT, rolling back is made easier and managing through the Azure web portal is a pain in the ass.
The biggest difficulty is getting the current administrators to adopt this approach. Shifting this stuff to Terraform isn't just a change in management interface it's a change in administration paradigms.
It becomes much more worth it the higher the proportion of your systems you manage this way.
Far_Let1864@reddit
Great idea. It seems like overkill now, but once you start growing and need to track changes, audit, and roll back easily, you'll be glad it's in Terraform. It's an initial hurdle, but a solid skill for the future. Which provider are you using for CA?
bjc1960@reddit
Kind of overkill maybe, but it does provide a history or changes. Regardless, a good skill to have.
We use IaC for Azure app deployments in most cases. We don't use for a single storage account we create where the network will be disabled once we add to it.
IaC will provide a way to redeploy quickly to another tenant. We are really small, it is just me and one person doing all of M365, Azure, AWS and GCP. Again, our home grown SaaS app is bicep.
Dangerous_Tooth8327@reddit
Some advantages that come to my mind: - terraform is so easy to read that you can use it as documentation of what it's implemented. Even use terraform docs. - if you need to replicate it for some reason, D&R or even M&A with a new tenant. - you can run it periodically to detect drifts if someone makes a mistake and corrects it automatically. - it is a starting point to learn it and apply to other click ops processes
le-quack@reddit
Also allows you to use github/lab for change control/approval/review purposes
Dangerous_Tooth8327@reddit
Yap, that is a good one, instead of giving an admin user to an intern you can ask him to do it and just approve the apply.
Cormacolinde@reddit
I think the third is the best reason to do this. Configuration drift is no joke.
Hotdog453@reddit
Is it just for your own single tenant? Then yes, that seems like overkill.
We have an MSP side of the business and did use Terraform for those tenants, as we roll out/buy new ones. But for a single tenant? Seems like overkill.