We are using Chef as a One-Stop Solution on Microsoft Azure. Based on Azure DevOps as our CI/CD pipeline we are using Chef Cookbooks to provision infrastructure, deploy and configure software. We are doing compliance testing with Inspec too and are happily using Automate to represent the results.

2. Chef as a One-Stop Solution
on Microsoft Azure
Karsten Mueller, IT-Architect

3. Some background
• Company LichtBlick SE
o LichtBlick is the leading provider of green electricity and green
gas in Germany. Over one million people - the LichtBlicker -
already rely on our forward-looking energy products.
o 460 Employees, $780 million revenue in 2017
• LichtBlick IT Department (80 Employees)
o „We strive to build the most automated and customer-focused
platform for the energy business in Germany“
o Custom .NET Applications & Standard Software
o Using Azure Cloud & On-Premises Datacenters

4. My part in the game
• „Most of what architects have done traditionally should be done by
developers, or by tools, or not at all.“
• “An architect’s value is inversely proportional to the number of
decisions he or she makes.”
[ Erik Doernenburg & Martin Fowler, Craft Conf 2016 ]

5. My part in the game
• „Most of what architects have done traditionally should be done by
developers, or by tools, or not at all.“
• “An architect’s value is inversely proportional to the number of
decisions he or she makes.”
[ Erik Doernenburg & Martin Fowler, Craft Conf 2016 ]
• Roughly resulting in
o Working in Teams to collaborate on
Infrastructure Code
o Providing some guidance

6. System Libraries
Packages
Middleware
Application
Operating System
Cloud Infrastructure
Cookbooks
Our Approach Delivering Applications
Profiles

7. Our Approach Delivering Applications
• Custom Cookbooks (reusing Community Cookbooks)
• Chef Server
• Configuration data and Cookbooks
• Custom InSpec Profiles
• Chef Automate
• Provides observability for all engineers
• Azure DevOps as CI/CD Pipeline

8. Cookbooks
• Deployment of Custom .NET Applications
• Windows OS Customization (AD join, Anti-Malware, …)
• Windows OS Hardening
• Azure Ressource Provisioning using azure_mgmt resources from
Azure SDK for Ruby

9. Compliance Checks
• Compliance Checks
• CIS profiles
• Custom profiles
• LichtBlick contributed to „dev-sec/windows-baseline“
• https://github.com/LichtBlick/windows-baseline
• Observability

10. Compliance Checks – windows-baseline
control 'windows-001' do
title 'Ensure 'Enforce password history' is set to '24 or more password(s)''
desc 'This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password.
impact 1.0
tag 'windows': ['2012R2', '2016', '2019']
tag 'profile': ['Domain Controller', 'Member Server']
tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.1.1'
tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.1.1'
tag 'level': '1'
tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration']
ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html'
ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-
Modernisierung/UH_Windows_Server_2012.html'
ref 'Center for Internet Security', url: 'https://www.cisecurity.org/'
We added references to BSI* „IT-Grundschutz“
*BSI = German Federal Office for Information Security

11. Provisioning - the good, the bad und the ugly

12. Provisioning - the good, the bad und the uglyg

13. Provisioning - the good, the bad und the ugly
• Decision to provision Azure resources with Chef & Azure resource
manager (ARM)
• Used chef-provisioning-azurerm from Stuart Preston for a while
• Developed custom Library Cookbook „azure-chef-deployment“
• based on gems „azure_mgmt_*
Our „One Stop Solution“
• Separate Chef Roles are describing Azure resource provisioning and
Application Deployment
(in 2016)
(in 2018)
today

14. Provisioning Azure Resources with Chef
Code
Cookbooks
Build
Lint & Test
Release
Chef Zero
Azure DevOps
Azure Resources
Ressource Group
Network
Application
Virtual
Machine
Azure Keyvault
Azure Ressource Manager
Azure Active Directory
ARM Template
Secrets
Authentication
Chef Server
Provisioning
Role
&
Cookbook
Private Agent

15. Provisioning Cookbook – Azure Resources
Provisioning Role for Azure Resources
Default Attributes
default['tenant'] = 'a6238652-91a6-4d9a-90ga-3f16b12dc7c3'
default['subscription'] = 'a2d596e5-2671-463g-96bd-ff487gdb6269'
default['location'] = 'westeurope'
default['resource_tags'] = {}
default['arm_template_folder'] = Chef::Config[:file_cache_path]
default['skip_validation'] = false
Resources with specific attributes
• Network
• Network Security Group
• Virtual Machine
• Application Insights
• Availability Set
• Storage Account
• User Assigned Identity
• Key Vault
• Service Bus
• Azure Functions
• Scale Set

16. Provisioning Cookbook – Azure Network Resource
default['network'] = {
resource_group: 'rg-sharedenv-dev-net',
default_template_parameters: {},
subnets: []
}
Scheme
default_template_parameters: {
virtual_network_name: 'vnet-eu2-157_0_0-20',
virtual_network_address_prefix: '10.157.0.0/20',
dns_servers: ['10.144.2.4', '10.144.2.5']
}
subnets: [
{
name: 'subnet-eu2-157_0_0-24-gendev',
address_prefix: '10.157.0.0/24',
nsg_name: 'nsg-subnet-eu2-157_0_0-24-gendev'
}
]

17. Provisioning - Our Learnings so far
• Using Chef Roles for Provisioning & Deployment is easy
• Promoting changes over stages is still to be improved
• Even a thin abstraction layer brings in dependencies
• On ruby gems being the same version as in ChefDK
• Interested in using our Provisioning Cookbook as OpenSource?
• Just ping me: karsten.mueller@lichtblick.de, @karmueller

18. Provisioning – Q&A
• Your Questions?
• What kind of Cloud resources do you have to provision?
oIaaS (Virtual Machines, Networks, …), PaaS Services
oKubernetes as a Service
o…
• What approach are you using?
oManually using the Web UI
oProgrammatically using Provider specific API
oTerraform
o…

19. Collaborate on Code