Azure Plugin

The Azure plugin enables you to use Cloudify to manage cloud resources on Azure. See below for currently supported resource types.

Plugin Requirements

Compatibility

The Azure plugin has two methods for interacting with Azure services: legacy and SDK based.

The legacy library is tested against these Azure API Versions:

RESOURCES = ‘2017-05-10' STORAGE = ‘2015-06-15' NETWORK = ‘2016-03-30' COMPUTE = ‘2016-03-30’

The SDK-based method is dependent on the SDK library versions. (See the setup.py for current versions.) Currently only ARM resource template node templates use this method.

Authentication

Each Azure resource node template must include a property azure_config for authentication. This consists of a tenant_id, client_id, client_secret or client_assertion, and subscription_id. These can be provided via secrets for better security coverage.

Plugin 1.8.0 introduced support for certificate-based authentication. Provide subscription_id, tenant_id, client_id and client_assertion. For more information see overview of client_assertion authentication and how to create an AD client certificate.

Authentication with Azure services requires a Service Principal. See this documentation from Microsoft on creating a Service Principal.

Providing Credentials as Secrets

It is recommended that you store your credentials as secrets. You can do this using the CLI. Secrets can then be accessed inside your blueprints, as follows:

 resource_group:
    type: cloudify.azure.nodes.ResourceGroup
    properties:
      name: my_resource_group
      location: { get_secret: location }
      azure_config:
        subscription_id: { get_secret: subscription_id }
        tenant_id: { get_secret: tenant_id }
        client_id: { get_secret: client_id }
        client_secret: { get_secret: client_secret }
 

Azure Stack

Cloudify Azure Plugin version 1.6.0 introduced support for Azure Stack.

To configure your client, add the appropriate values for your endpoint keys, such as endpoint_resource, endpoints_resource_manager, endpoint_verify, and endpoints_active_directory.

Make sure to specify the appropriate api_version of the Azure resource that is currently supported in your Azure stack.

Example:

 resource_group:
    type: cloudify.azure.nodes.ResourceGroup
    properties:
      api_version: 2017-05-10
      name: my_resource_group
      location: { get_secret: location }
      azure_config:
        subscription_id: { get_secret: subscription_id }
        tenant_id: { get_secret: tenant_id }
        client_id: { get_secret: client_id }
        client_secret: { get_secret: client_secret }
        endpoint_resource: https://management.core.windows.net/
        endpoints_resource_manager: https://management.azure.com
        endpoint_verify: True
        endpoints_active_directory: https://login.microsoftonline.com
 

Types

The following are node type definitions. Nodes describe resources in your cloud infrastructure. For more information, see node types.

Common Properties

All cloud resource nodes have common properties:

Properties

Each time that you manage a resource with Cloudify, one or more clients are created by Cloudify through the Azure API. You specify the configuration for these clients using the azure_config property. It should be a dictionary, with the following values:

Your Azure API access credentials

See the cloudify.datatypes.azure.Config data type definition in the plugin’s plugin.yaml.

cloudify.azure.Deployment

Deploy an Azure ARM Template.

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows adding resource parameters, and explicitly defining the azure_config.

  deployment:
    type: cloudify.azure.Deployment
    properties:
      name: azure-python-deployment-sample
      location: { get_input: location }
      azure_config: *azure_config
      params:
        sshKeyData: { get_input: public_key }
        vmName: { get_input: vm_name }
        dnsLabelPrefix: { get_input: vm_dns_name }
      template_file: template.json
  deployment:
    type: cloudify.azure.Deployment
    properties:
      name: azure-python-deployment-sample
      location: { get_input: location }
      azure_config: *azure_config
      params:
        sshKeyData: { get_input: public_key }
        vmName: { get_input: vm_name }
        dnsLabelPrefix: { get_input: vm_dns_name }
      # The following template has been truncated.
      template: {
          "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json",
          "contentVersion": "1.0.0.0",
          "parameters": {...},
          "variables": {...},
          "resources": [...]
      }

Mapped Operations:

cloudify.azure.nodes.ResourceGroup

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows adding resource parameters, and explicitly defining the azure_config.

  resourcegroup:
    type: cloudify.azure.nodes.ResourceGroup
    properties:
      name: {concat:[ { get_input: resource_prefix }, rg ] }
      location: { get_input: location }
      azure_config:
        subscription_id: { get_input: subscription_id }
        tenant_id: { get_input: tenant_id }
        client_id: { get_input: client_id }
        client_secret: { get_input: client_secret }

Mapped Operations:

cloudify.azure.nodes.storage.StorageAccount

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows adding storage parameters, and explicitly defining the azure_config.

  storageaccount:
    type: cloudify.azure.nodes.storage.StorageAccount
    properties:
      name: mysa01
      location: { get_input: location }
      retry_after: { get_input: retry_after }
      resource_config:
        accountType: Standard_LRS
      azure_config: *azure_config

Mapped Operations:

cloudify.azure.nodes.network.VirtualNetwork

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows adding virtual network parameters, and explicitly defining the azure_config.

  virtual_network:
    type: cloudify.azure.nodes.network.VirtualNetwork
    properties:
      name: myvnet01
      location: { get_input: location }
      retry_after: { get_input: retry_after }
      azure_config: *azure_config

Mapped Operations:

cloudify.azure.nodes.network.Subnet

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows adding subnet parameters, and explicitly defining the azure_config.

  subnet:
    type: cloudify.azure.nodes.network.Subnet
    properties:
      name: mysubnet
      location: { get_input: location }
      retry_after: { get_input: retry_after }
      azure_config: *azure_config
      resource_config:
        addressPrefix: { get_input: subnet_private_cidr }

Mapped Operations:

cloudify.azure.nodes.network.NetworkSecurityGroup

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows adding security group parameters, and explicitly defining the azure_config.

  networksecuritygroup:
    type: cloudify.azure.nodes.network.NetworkSecurityGroup
    properties:
      name: mynsg
      location: { get_input: location }
      retry_after: { get_input: retry_after }
      azure_config: *azure_config
      resource_config:
        securityRules:
        - name: nsr_ssh
          properties:
            description: SSH access
            protocol: Tcp
            sourcePortRange: '*'
            destinationPortRange: 22
            sourceAddressPrefix: '*'
            destinationAddressPrefix: '*'
            priority: 100
            access: Allow
            direction: Inbound

Mapped Operations:

cloudify.azure.nodes.network.NetworkSecurityRule

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows adding security group rule parameters, and explicitly defining the azure_config.

  network_security_rule:
    type: cloudify.azure.nodes.network.NetworkSecurityRule
    properties:
      name: mocknsr
      location: eastus
      azure_config: *azure_config
      network_security_group_name: mocknsg
      resource_config:
        description: RDP access
        protocol: Tcp
        sourcePortRange: '*'
        destinationPortRange: 3389
        sourceAddressPrefix: '*'
        destinationAddressPrefix: '*'
        priority: 100
        access: Allow
        direction: Inbound

Mapped Operations:

cloudify.azure.nodes.network.RouteTable

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows adding route table parameters, and explicitly defining the azure_config.

  routetable:
    type: cloudify.azure.nodes.network.RouteTable
    properties:
      name: myrt
      location: { get_input: location }
      retry_after: { get_input: retry_after }
      azure_config: *azure_config

Mapped Operations:

cloudify.azure.nodes.network.Route

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows adding route rule parameters, and explicitly defining the azure_config.

  internetroute:
    type: cloudify.azure.nodes.network.Route
    properties:
      name: myir
      location: { get_input: location }
      retry_after: { get_input: retry_after }
      azure_config: *azure_config
      resource_config:
        addressPrefix: 0.0.0.0/0
        nextHopType: Internet

Mapped Operations:

cloudify.azure.nodes.network.IPConfiguration

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows adding route IP configuration parameters, and explicitly defining the azure_config.

  ubuntuipconfig:
    type: cloudify.azure.nodes.network.IPConfiguration
    properties:
      name: myuic
      location: { get_input: location }
      retry_after: { get_input: retry_after }
      azure_config: *azure_config
      resource_config:
        privateIPAllocationMethod: Dynamic

Mapped Operations:

cloudify.azure.nodes.network.PublicIPAddress

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows adding public IP address parameters, and explicitly defining the azure_config.

  ubuntuipconfig:
    type: cloudify.azure.nodes.network.IPConfiguration
    properties:
      name: myuic
      location: { get_input: location }
      retry_after: { get_input: retry_after }
      azure_config: *azure_config
      resource_config:
        privateIPAllocationMethod: Dynamic

Mapped Operations:

cloudify.azure.nodes.compute.AvailabilitySet

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows adding availability set parameters, and explicitly defining the azure_config.

  availabilityset:
    type: cloudify.azure.nodes.compute.AvailabilitySet
    properties:
      name: myac
      location: { get_input: location }
      retry_after: { get_input: retry_after }
      azure_config: *azure_config

Mapped Operations:

cloudify.azure.nodes.compute.VirtualMachine

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows adding VM parameters, and explicitly defining the azure_config.

  host:
    type: cloudify.azure.nodes.compute.VirtualMachine
    properties:
      name: myhost
      location: { get_input: location }
      retry_after: { get_input: retry_after }
      azure_config: *azure_config
      os_family: { get_input: os_family_linux }
      use_public_ip: false
      resource_config:
        hardwareProfile:
          vmSize: { get_input: standard_a2_size }
        storageProfile:
          imageReference:
            publisher: { get_input: image_publisher_centos_final }
            offer: { get_input: image_offer_centos_final }
            sku: { get_input: image_sku_centos_final }
            version: { get_input: image_version_centos_final }
        osProfile:
          computerName: { get_property: [SELF, name] }
          adminUsername: { get_input: username_centos_final }
          adminPassword: { get_input: password }
          linuxConfiguration:
            ssh:
              publicKeys:
                - path: { get_input: authorized_keys_centos }
                  keyData: { get_input: keydata }
            disablePasswordAuthentication: { get_input: public_key_auth_only }

Mapped Operations:

cloudify.azure.nodes.compute.VirtualMachineExtension

Derived From: cloudify.nodes.Root

Properties:

Example

This example shows adding VM extension parameters, and explicitly defining the azure_config.

  webserver:
    type: cloudify.azure.nodes.compute.VirtualMachineExtension
    properties:
      name: vm1_webserver
      location: { get_input: location }
      retry_after: { get_input: retry_after }
      resource_config:
        publisher: Microsoft.Powershell
        ext_type: DSC
        typeHandlerVersion: '2.8'
        settings:
          ModulesUrl: https://www.example.com/modules.zip
          ConfigurationFunction: windows-iis-webapp.ps1\CloudifyExample
          Properties:
            MachineName: { get_property: [vm1, name] }
            WebServerPort: { get_input: webserver_port }

Mapped Operations:

cloudify.azure.nodes.network.LoadBalancer

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows adding load balancer parameters, and explicitly defining the azure_config.

  loadbalancer:
    type: cloudify.azure.nodes.network.LoadBalancer
    properties:
      name: mylb
      location: { get_input: location }
      retry_after: { get_input: retry_after }
      azure_config: *azure_config
    relationships:
    - type: cloudify.azure.relationships.contained_in_resource_group
      target: resourcegroup
    - type: cloudify.azure.relationships.connected_to_ip_configuration
      target: loadbalanceripcfg

Mapped Operations:

cloudify.azure.nodes.network.LoadBalancer.BackendAddressPool

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows adding load balancer pool parameters, and explicitly defining the azure_config.

  loadbalancerbackendpool:
    type: cloudify.azure.nodes.network.LoadBalancer.BackendAddressPool
    properties:
      name: mylb
      location: { get_input: location }
      retry_after: { get_input: retry_after }
      azure_config: *azure_config
    relationships:
      - type: cloudify.azure.relationships.contained_in_load_balancer
        target: loadbalancer

Mapped Operations:

cloudify.azure.nodes.network.LoadBalancer.Probe

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows adding load balancer probe parameters, and explicitly defining the azure_config.

  loadbalancerprobe:
    type: cloudify.azure.nodes.network.LoadBalancer.Probe
    properties:
      name: lbprobe
      location: { get_input: location }
      retry_after: { get_input: retry_after }
      azure_config: *azure_config
      resource_config:
        protocol: Http
        port: { get_input: webserver_port }
        requestPath: index.html
    relationships:
    - type: cloudify.azure.relationships.contained_in_load_balancer
      target: loadbalancer
    - type: cloudify.relationships.depends_on
      target: loadbalancerbackendpool

Mapped Operations:

cloudify.azure.nodes.network.LoadBalancer.IncomingNATRule

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Mapped Operations:

cloudify.azure.nodes.network.LoadBalancer.Rule

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows adding load balancer rule parameters, and explicitly defining the azure_config.

  loadbalancerrule:
    type: cloudify.azure.nodes.network.LoadBalancer.Rule
    properties:
      name: mylbrule
      location: { get_input: location }
      retry_after: { get_input: retry_after }
      azure_config: *azure_config
      resource_config:
        protocol: Tcp
        backendPort: { get_input: webserver_port }
        frontendPort: { get_input: loadbalancer_port }
    relationships:
    - type: cloudify.azure.relationships.contained_in_load_balancer
      target: loadbalancer
    - type: cloudify.azure.relationships.connected_to_ip_configuration
      target: loadbalanceripcfg
    - type: cloudify.azure.relationships.connected_to_lb_be_pool
      target: loadbalancerbackendpool
    - type: cloudify.azure.relationships.connected_to_lb_probe
      target: loadbalancerprobe

Mapped Operations:

cloudify.azure.nodes.compute.ManagedCluster

Derived From: cloudify.nodes.Root

Properties:

See the Common Properties section.

Example

This example shows creating AKS Cluster, and explicitly defining the azure_config.

  resource_group:
  type: cloudify.azure.nodes.ResourceGroup
  properties:
    name: { get_input: resource_group_name }
    location: { get_input: location }
    azure_config: *azure_config
  managed_cluster:
    type: cloudify.azure.nodes.compute.ManagedCluster
    properties:
      resource_group: { get_input: resource_group_name }
      cluster_name: { get_input: managed_cluster_name }
      resource_config:
        location: { get_input: location }
        tags:
          Name: "AKS_Test"
          tier: "Testing"
        kubernetes_version: "" # keep default
        dns_prefix: "akstest"
        agent_pool_profiles:
          - name: "nodepool1"
            count: 3
            vmSize: "Standard_DS1_v2"
            osType: "Linux"
            type: "VirtualMachineScaleSets"
            availabilityZones:
              - "1"
              - "2"
              - "3"
            enableNodePublicIP: true
        linux_profile:
          adminUsername: "azureuser"
          ssh:
            publicKeys:
              - keyData : { get_input: public_key }
        network_profile:
          loadBalancerSku: "standard"
          outboundType: "loadBalancer"
          loadBalancerProfile:
            managedOutboundIPs:
              count: 2
        windows_profile:
          adminUsername: "azureuser"
          adminPassword: "az#1234"
        service_principal_profile:
          clientId: { get_input: client_id }
          secret: { get_input: client_secret }
        addon_profiles: {}
        enable_rbac: true
      azure_config: *azure_config
      store_kube_config_in_runtime: true
    relationships:
    - type: cloudify.azure.relationships.contained_in_resource_group
      target: resource_group
Mapped Operations:

Relationships

See relationships.

The following plugin relationship operations are defined in the Azure plugin:

Using Existing Resources

You can use existing resources on Azure, regardless of whether they have been created by a different Cloudify deployment or outside of Cloudify.

All Cloudify Azure types have a property named use_external_resource, for which the default value is false. When set to true, the plugin applies different semantics for each of the operations executed on the relevant node’s instances:

If use_external_resource is set to true in the blueprint, the name must be that resource’s name in Azure.

This behavior is common to all resource types: